5a962be53e3e2f2a2b91aa588679de5a386c834d
By:
ellvtr

After enabling Public Key Authentication, I can still log in without from other machine

November 2, 2015 1.6k views
Security

Hi, I just enabled public key authentication on my Ubuntu 15.10 x64 droplet - and indeed, next time I logged in from my machine (called "nas2"), I was prompted to enter the pass-phrase. I then proceeded to log in from another machine (my laptop) - same user, same Ubuntu server - and I could still log in from my laptop with simple user-password authentication - no private key available on that machine.

I assume that is not supposed to happen? That defeats the purpose of having that extra layer of authentication of it can be bypassed like that?

I followed the steps in this tutorial:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04 - "Step Four — Add Public Key Authentication"

4 comments
  • You've enabled public key auth, but that doesn't automaticly disable password login. To do so you need to change PasswordAuthentication yes to PasswordAuthentication no.

  • Thanks a lot! Now that leads to the next question: Now that I can only log in from this particular machine (nas2) which has the private key stored - how do I go about authenticating another device, such as my laptop? Can I simply copy the file with the private key from nas2 to the other device? Or would I have to create a new private + public key on the laptop, then proceed to add the new public key to the server - which I probably can't do using ssh-copy-id because I can't login with ssh before it is uploaded?

  • You will want to generate a new key on your laptop, then send it to NAS2, and have that computer place it in the authorized_keys folder.

  • Great, thanks for your help mate! Will try that!

1 Answer

This question was answered by @telling:

You've enabled public key auth, but that doesn't automaticly disable password login. To do so you need to change PasswordAuthentication yes to PasswordAuthentication no.

View the original comment

  • Thanks for making that clear. I thought comments were sufficient - now I see that the structure here is similar to stackexchange which has a clear distinction between comments and answers.

Have another answer? Share your knowledge.