Deactivate password login via SSH under Ubuntu
Or: Why security settings must always be tested
One of the first things I always change on a new server is the sshd_config
, deactivating the login via SSH with password.
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
UsePAM no
Normally you assume that the entries are correct and working, test the login from your own PC and are satisfied that the certificate is being used.
Cloud Init
Of course, Ubuntu is nowadays delivered with Cloud Init and since Ubuntu 20.04 this comes with a new config file called /etc/ssh/sshd_config.d/50-cloud-init.conf
, which contains one single line:
PasswordAuthentication yes
Since the inclusion of the sshd_config.d
directory takes place very high up in the sshd_config
, this is almost always the first occurrence of the PasswordAuthentication
directive and is therefore retained and the password login remains activated despite all other settings.
To completely deactivate the option of logging in with a password, the file must therefore be deleted or edited. However, as this file only fulfills one purpose, it can be deleted with a clear conscience.
Concluding remarks
- This situation clearly shows that security settings must always be tested, no matter how carefully the configuration is carried out, even from the perspective of an external context, in this case forcing the login without your own certificate.
- WTF Canonical?