DigitalOcean

Report this

What is the reason for this report?
Question

weird default security choice for droplets re sshd_config?

Posted on October 26, 2023
DigitalOcean Droplets
userdo

By userdo

Looks to me like default for droplets even when choosing SSH keys, is there’s no line saying PasswordAuthentication no So is it that even with SSH keys specified, it still allows people to log in with a password?! Ubuntu 23.10 x64



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
KFSys
KFSys
October 30, 2023

Heya @userdo,

In the sshd_config file there is a line that includes the sshd configs from the /etc/ssh/sshd_config.d/ directory:

Include /etc/ssh/sshd_config.d/*.conf

If you go into that folder and check the 50-cloud-init.conf you’ll see it has the PasswordAuthentication set to No.

0
alexdo
alexdo
October 30, 2023

In general, when using SSH keys for authentication on an Ubuntu server, the default configuration does not allow password-based authentication by default. However, it’s essential to confirm the server’s SSH configuration to ensure that password-based authentication is indeed disabled.

You can check the SSH server configuration by looking at the /etc/ssh/sshd_config file. You can use a text editor or a command like cat or less to view the file. Here’s how you can check the relevant configuration options:

Check the SSH configuration file:

  1. cat /etc/ssh/sshd_config

Look for the following lines in the sshd_config file:

  1. PasswordAuthentication no

If you find this line, it means that password-based authentication is disabled, and SSH keys are required for authentication. If the line is missing or commented out (with a # at the beginning), it means the default behavior is still allowing password-based authentication.

Also as mentioned there are additional sshd config files that you might need to inspect to verify if the password authentication is disabled.

Regards

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.