By Bob
Created new Ubuntu 16.04 LAMP droplet with SSH key installed. According to “Step Five — Disable Password Authentication (Recommended)” of the initial server setup DO article at
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04
I should open the sshd_config file and make sure “PasswordAuthentication no” is set.
The last line of my sshd_config file, however, reads “PasswordAuthentication yes” Here’s a snippet of the last part of my sshd_config file:
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Added by DigitalOcean build process
ClientAliveInterval 120
ClientAliveCountMax 2
PasswordAuthentication yes
So, my newbie question is, because of the placement of the last line underneath “Subsystem sftp /usr/lib/openssh/sftp-server” does the last “PasswordAuthentication yes” apply to the sftp subsystem only? Or does the final “PasswordAuthentication yes” basically enable password authentication for OpenSSH as a whole?
Just wondering whether this “PasswordAuthentication yes” (and “UsePAM yes”) settings in the snippet are the settings that I need to change?
Thanks.
Bobby
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
I tested this by creating a Droplet with 16.04 LAMP image and it does applies to whole OpenSSH. So if you set to no, it’ll disable password authentication at all.
A Subsystem directive just configures (enables) external subsystem. As I understand, everything after it, is still OpenSSH config and applies to OpenSSH as whole.
There is docs about Subsystem if you want to learn more:
Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the ''sftp'' file transfer subsystem.
Alternately the name ''internal-sftp'' implements an in-process ''sftp'' server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.
By default no subsystems are defined. Note that this option applies to protocol version 2 only.
So tl;dr - yes it’s enough to just set it (that last) to no to disable password authentication.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.