Question

password authentication no - still prompts for PW on connect

Posted November 20, 2018 8k views
Getting StartedUbuntu 18.04

I wrote about my other troubles with SSH here https://www.digitalocean.com/community/questions/permission-denied-publickey-non-root-user?answer=47656

I cannot get rid of the password prompt for non-root users. root user it does not ask. This is the sshd_config. Are there any errors? I did not make any changes.


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp  /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Also, another problem I have is that I cannot stop the PW prompt when moving between users. If I disable with passwd -d user or passwd -d root then I will not be able to switch into the account.

  1. How do I disable the password for connection and use only ssh with non-root user?
  2. How do I disable the password when switching between users?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

For 1: If you want to only allow public key authentication, PasswordAuthentication no should be sufficient; make sure you include the public key when accessing your server (in openssh, use -i /path/to/key). It really doesn’t matter if the password prompt appears when you don’t include the identity file. That will happen anyway. What matters is that the password shouldn’t actually work; login should only work with a public key. When attempting to use a password you should get: Permission denied [publickey].

To disable SSH access for non-root users, add PermitRootLogin no to sshdconfig. PasswordAuthentication no is usually sufficient to only allow public-key access, though adding said public key is a bit more complicated; you need to generate the SSH key using your SSH client (in openssh, the ssh-keygen command is used), then copy the contents of the public key to the `.ssh/authorizedkeys` file in each user’s home folder.

For 2: How to disable the switch user password prompt depends on how you are switching users. If you are switching users from root, there shouldn’t be a prompt at all when switching users with su <username>. Non-root users require a password by design.

If I’m misinterpreting your intention, please tell me; I’m not sure I understand what you’re asking here.

  • Correction: sshd_config, authorized_keys

    • Hi,

      The problem was I had an SSH key that matched exactly (I checked in diff tool) on the server and the client and it still prompted for PW, even with the sshd_config I posted.

      But Appreciate you trying to help. I am aware of what you write, and expect for setting PermitRootLogin no I already have all this set up. I don’t set PermitRootLogin no because I sometimes can’t get into the user, so have to login as root (not in general practice, just now since I can’t SSH properly with users). Otherwise I’ll lose access to my droplet.

      I’ve recreated the droplet about 5-6 times and it seems to be working now. It’s not set up exactly like I want but when I previously edited files to change this, files that had nothing to do with SSH, it started with the public key error again.

      At least I can login now.

Submit an Answer