Created new Ubuntu 16.04 LAMP droplet with SSH key installed. According to “Step Five — Disable Password Authentication (Recommended)” of the initial server setup DO article at
I should open the sshd_config file and make sure “PasswordAuthentication no” is set.
The last line of my sshd_config file, however, reads “PasswordAuthentication yes” Here’s a snippet of the last part of my sshd_config file:
Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin yes # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # Added by DigitalOcean build process ClientAliveInterval 120 ClientAliveCountMax 2 PasswordAuthentication yes
So, my newbie question is, because of the placement of the last line underneath “Subsystem sftp /usr/lib/openssh/sftp-server” does the last “PasswordAuthentication yes” apply to the sftp subsystem only? Or does the final “PasswordAuthentication yes” basically enable password authentication for OpenSSH as a whole?
Just wondering whether this “PasswordAuthentication yes” (and “UsePAM yes”) settings in the snippet are the settings that I need to change?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.