On 11/08/2020 11:21, Walter Dnes wrote: > The one sevice I have listening for external connections on my laptop > is sshd (192.168.1.0/24). Before taking it anywhere, I want to prohibit > password-based login for *ALL* accounts, not just root. This would > require users to be listed in ~/.ssh/authorized_keys Looking through > /etc/ssh/sshd_config I *THINK* that I need to set "no" at... > > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > > Is that correct? If not, what is the correct setting to change? > Hi Walter,
Yes that's one of the options you need to disable. The other one is
"ChallengeResponseAuthentication" which will also disable PAM-based
authentication (which may include passwords). So you should have the
following global settings in /etc/ssh/ssd_config:
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication should default to "yes" but it doesn't hurt to
explicitly set it in case the defaults ever change.
If you so wish, you can also have configurations based on IP address
and/or network. It can be useful as a "fallback" mechanism from trusted
clients, e.g.:
Match Address 192.168.1.0/24
PasswordAuthentication yes
- Victor
signature.asc
Description: OpenPGP digital signature
