Question

password authentication no - still prompts for PW on connect

I wrote about my other troubles with SSH here https://www.digitalocean.com/community/questions/permission-denied-publickey-non-root-user?answer=47656

I cannot get rid of the password prompt for non-root users. root user it does not ask. This is the sshd_config. Are there any errors? I did not make any changes.


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Also, another problem I have is that I cannot stop the PW prompt when moving between users. If I disable with passwd -d user or passwd -d root then I will not be able to switch into the account.

  1. How do I disable the password for connection and use only ssh with non-root user?
  2. How do I disable the password when switching between users?
Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

For 1: If you want to only allow public key authentication, PasswordAuthentication no should be sufficient; make sure you include the public key when accessing your server (in openssh, use -i /path/to/key). It really doesn’t matter if the password prompt appears when you don’t include the identity file. That will happen anyway. What matters is that the password shouldn’t actually work; login should only work with a public key. When attempting to use a password you should get: Permission denied [publickey].

To disable SSH access for non-root users, add PermitRootLogin no to sshd_config. PasswordAuthentication no is usually sufficient to only allow public-key access, though adding said public key is a bit more complicated; you need to generate the SSH key using your SSH client (in openssh, the ssh-keygen command is used), then copy the contents of the public key to the .ssh/authorized_keys file in each user’s home folder.

For 2: How to disable the switch user password prompt depends on how you are switching users. If you are switching users from root, there shouldn’t be a prompt at all when switching users with su <username>. Non-root users require a password by design.

If I’m misinterpreting your intention, please tell me; I’m not sure I understand what you’re asking here.