On 11/08/2020 11:21, Walter Dnes wrote: > The one sevice I have listening for external connections on my laptop > is sshd (192.168.1.0/24). Before taking it anywhere, I want to prohibit > password-based login for *ALL* accounts, not just root. This would > require users to be listed in ~/.ssh/authorized_keys Looking through > /etc/ssh/sshd_config I *THINK* that I need to set "no" at... > > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > > Is that correct? If not, what is the correct setting to change? > Hi Walter,
Yes that's one of the options you need to disable. The other one is "ChallengeResponseAuthentication" which will also disable PAM-based authentication (which may include passwords). So you should have the following global settings in /etc/ssh/ssd_config: PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no PubkeyAuthentication should default to "yes" but it doesn't hurt to explicitly set it in case the defaults ever change. If you so wish, you can also have configurations based on IP address and/or network. It can be useful as a "fallback" mechanism from trusted clients, e.g.: Match Address 192.168.1.0/24 PasswordAuthentication yes - Victor
signature.asc
Description: OpenPGP digital signature