weird default security choice for droplets re sshd_config?

Looks to me like default for droplets even when choosing SSH keys, is there’s no line saying PasswordAuthentication no So is it that even with SSH keys specified, it still allows people to log in with a password?! Ubuntu 23.10 x64

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
October 30, 2023

In general, when using SSH keys for authentication on an Ubuntu server, the default configuration does not allow password-based authentication by default. However, it’s essential to confirm the server’s SSH configuration to ensure that password-based authentication is indeed disabled.

You can check the SSH server configuration by looking at the /etc/ssh/sshd_config file. You can use a text editor or a command like cat or less to view the file. Here’s how you can check the relevant configuration options:

Check the SSH configuration file:

  1. cat /etc/ssh/sshd_config

Look for the following lines in the sshd_config file:

  1. PasswordAuthentication no

If you find this line, it means that password-based authentication is disabled, and SSH keys are required for authentication. If the line is missing or commented out (with a # at the beginning), it means the default behavior is still allowing password-based authentication.

Also as mentioned there are additional sshd config files that you might need to inspect to verify if the password authentication is disabled.


Site Moderator
Site Moderator badge
October 30, 2023

Heya @userdo,

In the sshd_config file there is a line that includes the sshd configs from the /etc/ssh/sshd_config.d/ directory:

Include /etc/ssh/sshd_config.d/*.conf

If you go into that folder and check the 50-cloud-init.conf you’ll see it has the PasswordAuthentication set to No.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel