Newbie question about DO's sshd_config settings

Created new Ubuntu 16.04 LAMP droplet with SSH key installed. According to “Step Five — Disable Password Authentication (Recommended)” of the initial server setup DO article at

I should open the sshd_config file and make sure “PasswordAuthentication no” is set.

The last line of my sshd_config file, however, reads “PasswordAuthentication yes” Here’s a snippet of the last part of my sshd_config file:

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Added by DigitalOcean build process
ClientAliveInterval 120
ClientAliveCountMax 2

PasswordAuthentication yes

So, my newbie question is, because of the placement of the last line underneath “Subsystem sftp /usr/lib/openssh/sftp-server” does the last “PasswordAuthentication yes” apply to the sftp subsystem only? Or does the final “PasswordAuthentication yes” basically enable password authentication for OpenSSH as a whole?

Just wondering whether this “PasswordAuthentication yes” (and “UsePAM yes”) settings in the snippet are the settings that I need to change?




Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I tested this by creating a Droplet with 16.04 LAMP image and it does applies to whole OpenSSH. So if you set to no, it’ll disable password authentication at all.

A Subsystem directive just configures (enables) external subsystem. As I understand, everything after it, is still OpenSSH config and applies to OpenSSH as whole.

There is docs about Subsystem if you want to learn more:

Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.

The command sftp-server(8) implements the ''sftp'' file transfer subsystem.

Alternately the name ''internal-sftp'' implements an in-process ''sftp'' server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.

By default no subsystems are defined. Note that this option applies to protocol version 2 only.

So tl;dr - yes it’s enough to just set it (that last) to no to disable password authentication.