SSH - PasswordAuthentication no has no effect

Question

I'm trying to configure my server to disable password authentication, I'm using keys now.

The problem is that PasswordAuthentication no is set, but it has had no effect. I'm still prompted for a password even though that's set.

More details:

• I'm connecting to Ubuntu Server 14.04 from PuTTY on Windows 10.
• ssh -v shows uses my key first then keyboard-interactive second.
• I made sure I edited sshd_config, not ssh_config.
• I restarted the ssh after applying the changes, when that had no effect I restarted the whole server, still no effect.
• I have this exact same config file on another 14.04 server with this exact same key, but it has no issues and password auth is disabled there.

Why isn't password auth disabled as it should be, and how can I fix it?

This is the entire sshd_config file minus all commented lines for brevity.

Port 612
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group1-sha1
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

Answer 1

The thing is, that the password authentication using PAM (as on all the modern systems) is handled by ChallengeResponseAuthentication option, which is yes by default.

ChallengeResponseAuthentication

Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.

This is mentioned many times in the example sshd_config.

# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

Add it to your sshd_config with value no, restart and it will work for you:

ChallengeResponseAuthentication no

Answer 2

Depending on linux distributions, If you are using Ubuntu 22, try this:

sshd -T | grep passwordauthentication       

if you see output passwordauthentication yes, some configurations are set prior to default /etc/ssh/sshd_config, they are located in /etc/ssh/sshd_config.d/ , you can search passwordauthentication from them or simply remove them by

rm /etc/ssh/sshd_config.d/*

Answer 3

One silly mistake I made (and spent a while to realize) was that instead of editing sshd_config I was editing ssh_config and that was the reason why the changes did not have the intended effect.

Answer 4

In my case none of the changes in sshd_config were taking effect on a fresh install of Ubuntu Server on a Raspberry Pi 4. Purging openssh-server and reinstalling it solved it for me.

Commands for reference:

apt purge openssh-server
rm -rf /etc/ssh (may be necessary if using apt remove)
apt install openssh-server

Answer 5

In my case, I noticed that PasswordAuthentication was overridden by /etc/ssh/sshd_config.d/50-cloud-init.conf

I changed this file and this fixed the issue