I only want to allow pubkey authentication, but I'm currently
unable do disable the keyboard-interactive authentication method.
My sshd_config file:
Port 22
Protocol 2
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 1800
PermitRootLogin no
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
CheckMail no
UseLogin no
AllowUsers andreas
SyslogFacility AUTH
LogLevel INFO
RSAAuthentication no
DSAAuthentication yes
KbdInteractiveAuthentication no <---- seems to have no effect
RhostsAuthentication no
RhostsRSAAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
PasswordAuthentication no <---- used to be sufficient for what I want
PermitEmptyPasswords no
Subsystem sftp /usr/libexec/sftp-server
Results of ssh -v:
(only what I believe is the relevant part, it's rather big)
(...)
debug: Found key in /home/andreas/.ssh/known_hosts2:1
debug: bits set: 1029/2049
debug: len 55 datafellows 0
debug: ssh_dss_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: Enabling compression at level 6.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,keyboard-interactive
debug: next auth method to try is publickey
debug: key does not exist: /home/andreas/.ssh/identity
debug: try pubkey: /home/andreas/.ssh/id_dsa
debug: PEM_read_PrivateKey failed
debug: read SSH2 private key done: name <no key> success 0
Enter passphrase for key '/home/andreas/.ssh/id_dsa': <--- here I only
pressed ENTER
debug: next auth method to try is keyboard-interactive
Password:
I don't want this fallback. At that prompt, if I enter the password from
my account in that machine, I get in, even if I don't have the id_dsa file
here from where I'm connecting.
