# SSH users login only with private/public key



## netpumber (Feb 22, 2012)

Hello.

I've just installed FreeBSD to test as a server on one of my PCs. Now I'm configuring the sshd_config file and want a user to log in only with his private/public key.

-There is one user except root called webserver
-I created public and private key and the first one placed it in the /home/webserver/.ssh/authorized_keys file.
-Now from windows, using PuTTY with private key, user webserver logged in as expected.

The problem is that this user can log in and without using its private key.

In the sshd_config file *PasswordAuthentication* is set to *no*

Such a reaction is normal? 
How can i make server accepts only connections that uses the private key ?

Thanks in advance!


----------



## wblock@ (Feb 22, 2012)

Did you restart sshd after the change?


----------



## netpumber (Feb 22, 2012)

> Did you restart sshd after the change?


Yes


----------



## anomie (Feb 22, 2012)

ChallengeResponseAuthentication + UsePAM operate in a similar fashion to PasswordAuthentication on FreeBSD systems. You'll want to disable ChallengeResponseAuthentication. 

Actually, to be safe, you should be disabling all authentication forms _except_ PubkeyAuthentication. Check sshd_config(5) to see what they all are. (Make sure you have a way to get into your system - e.g. physical access - should you lose your client keys.)


----------



## netpumber (Feb 22, 2012)

Thanks a lot. Now it's working.
Here is the config file.

You think that *I* have to fix something else?

And *I* have physical access to this PC so it's ok.


```
#       $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#       $FreeBSD: release/9.0.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

VersionAddendum FreeBSD

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# Allow specific groups
 AllowGroups sshAllow

# Allow specific users
 AllowUsers webserver

# Idle time-out interval
ClientAliveInterval 300
ClientAliveCountMax 0

#HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

#Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
MaxSessions 5

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
Banner /etc/ssh/sshd-banner

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

# Disable HPN tuning improvements.
#HPNDisabled no

# Buffer size for HPN to non-HPN connections.
#HPNBufferSize 2048
.
.
.
```


----------



## razrx (Feb 22, 2012)

Running a stock /etc/ssh/sshd_config you need to set 
	
	



```
ChallengeResponseAuthentication no
```

Then reload sshd

`#  service sshd reload`

When you then try to log in using password authentication the response from sshd will be:


```
Permission denied (publickey).
```


----------

