Linux server only pubkey for ssh not working
Posted by akisha_009@reddit | linuxadmin | View on Reddit | 28 comments
Hey,
I have a linux server and I want to secure it. I've read that the most common and best way to secure it is to make a pubkey and disable password login. I searched on how to do it and Im stuck and part where I have to disable password login.
Everyone is saying that I should set sshd_config like this:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no
The problem is I dont have all this settings
Help is appriciated a log.
This is my current config:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile /home/aleksa/.ssh/authorized_keys /home/petar/.ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
wakamoleo@reddit
Add the lines to your current config and restart the service `systemctl restart sshd. `
akisha_009@reddit (OP)
I am currently using ssh to config this, but I can access the device if something goes wrong.
Hotshot55@reddit
For future reference, restarting the sshd service won't kill your current session.
akisha_009@reddit (OP)
oh okay, thanks
BinBashBuddy@reddit
But if you set sshd_config wrong you'll lock out future sessions, which means you can't reconnect to fix it once you close your open session so having access to the actual device is nice.
akisha_009@reddit (OP)
"Failed to restart sshd.service: Unit sshd.service not found."
michaelpaoli@reddit
SIGHUP to the running sshd process - the one listening on (at least by default) TCP port 22.
That'll work regardless what init system you're using.
akisha_009@reddit (OP)
my dad opened the diffrent one, when my friend (who also has a key) tries to login he uses port 65022
michaelpaoli@reddit
Whatever, port isn't particularly relevant.
wakamoleo@reddit
Ok, so sshd is the remote service and ssh is the client. If your remote server doesn't have sshd installed, it won't have the functionality to act as a remote server for incoming ssh connections. Which flavour of linux are you using and is it a desktop or server image? Usually server images have sshd pre-installed.
bash_M0nk3y@reddit
Probably not the case but didn't older versions of Ubuntu call the service ssh instead of sshd?
OP, you can find it with this command:
systemctl list-units | grep ssh
akisha_009@reddit (OP)
I did the command and i get ssh.service and ssh.socket . I restarted both of them, logout and tried to log in with the password, I still can...
bash_M0nk3y@reddit
You should only have to restart the service, just so you know for later.
akisha_009@reddit (OP)
thanks but the problem wasnt solved, i can still login using password
akisha_009@reddit (OP)
Its normal linux ubutnu server. I found that the service name is ssh.service, not sshd
bash_M0nk3y@reddit
Sounds like an older version of Ubuntu considering the service is still called
ssh.service
as opposed tosshd.service
.Check out my other top level comment about the
sshd_config.d/
directory. There may be settings hiding in therebash_M0nk3y@reddit
OP, notice the
Include
line near the top of your current config. Some distros have gotten in the habit of hiding certain settings in separate files in that directory. It's a good practice to take a peek at all files in/etc/ssh/sshd_confid.d/
to make sure any settings arent in there that you might not want. For example, I once had a system that would still accept password auth even after disabling it in the main sshd_config file. It turned out to be set toyes
in a file hiding in that directory.akisha_009@reddit (OP)
I litterly had one file named 50-cloud-init.conf in that folder that you told me and the only thing was PasswordAuthenthication yes .Thanks a LOT, that sloved the issue!
apathyzeal@reddit
Not working HOW
ikanpar2@reddit
All the settings are there, just read them line by line. Erase # to uncomment the line and make it active. Leave authorized key file location at its default ( .ssh/authorized_keys) so each user can have his/her own public key at /home/theirusername/.ssh/authorized_keys
akisha_009@reddit (OP)
Just read them line by line and didnt really find anything. I have generated keys for me and I am logging with the key. The problem is that i cant disable logging with password
michaelpaoli@reddit
sshd_config(5) for more information.
That man page should have the available configuration options correlating to the version you have installed.
If you get the syntax wrong, sshd will generally fail to reload (or if it's not running, fail to start).
And yes, you can disable logging in with password via ssh - that applies to at least all non-ancient versions of sshd. You didn't specify what version you're running.
sshd -V
will give you the version.
Read The Fine Manual (RTFM).
You may have these options available:
AuthenticationMethods
GSSAPIAuthentication
KbdInteractiveAuthentication
KerberosAuthentication
PasswordAuthentication
UsePAM
But exactly what options you have available will depend upon your version of sshd - and even how it was compiled ... not mine, not anybody else's, so check your documentation.
wakamoleo@reddit
Ikranpar2 is correct. Only the 'ChallengeResponseAuthentication' is missing from the config.
ikanpar2@reddit
Where is your config? In a debian / Ubuntu server (I think the location is universal) it's at /etc/ssh/sshd_config Don't forget to restart sshd (systemctl restart sshd) to apply the config.
wakamoleo@reddit
Therein lies the issue. It looks like they're not using a server distro, so will have to install openssh-server to get sshd running.
bash_M0nk3y@reddit
sshd_config probably wouldn't be there if the ssh server package wasn't installed
akisha_009@reddit (OP)
service is called ssh.service but config directory is etc/ssh/sshd_config
kernpanic@reddit
Run sshd in debug mode on a different port - will give you many more clues as to what is wrong.