Newbie question about DO's sshd_config settings

November 7, 2016 249 views
DigitalOcean Articles Ubuntu 16.04

Created new Ubuntu 16.04 LAMP droplet with SSH key installed. According to "Step Five — Disable Password Authentication (Recommended)" of the initial server setup DO article at

I should open the sshd_config file and make sure "PasswordAuthentication no" is set.

The last line of my sshdconfig file, however, reads "PasswordAuthentication yes" Here's a snippet of the last part of my sshdconfig file:

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Added by DigitalOcean build process
ClientAliveInterval 120
ClientAliveCountMax 2

PasswordAuthentication yes

So, my newbie question is, because of the placement of the last line underneath "Subsystem sftp /usr/lib/openssh/sftp-server" does the last "PasswordAuthentication yes" apply to the sftp subsystem only? Or does the final "PasswordAuthentication yes" basically enable password authentication for OpenSSH as a whole?

Just wondering whether this "PasswordAuthentication yes" (and "UsePAM yes") settings in the snippet are the settings that I need to change?



1 Answer

I tested this by creating a Droplet with 16.04 LAMP image and it does applies to whole OpenSSH.
So if you set to no, it'll disable password authentication at all.

A Subsystem directive just configures (enables) external subsystem. As I understand, everything after it, is still OpenSSH config and applies to OpenSSH as whole.

There is docs about Subsystem if you want to learn more:

Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.

The command sftp-server(8) implements the ''sftp'' file transfer subsystem.

Alternately the name ''internal-sftp'' implements an in-process ''sftp'' server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.

By default no subsystems are defined. Note that this option applies to protocol version 2 only.

So tl;dr - yes it's enough to just set it (that last) to no to disable password authentication.

Have another answer? Share your knowledge.