# stop sshd from asking for password



## ThunderWolf (Aug 12, 2012)

I am trying to disallow password login to my ssh server, but can't. I have set:

```
PasswordAuthentication no
```
in /etc/ssh/sshd_config and have reset the deamon with:

```
service sshd restart
```
and

```
killall -HUP sshd
```
neither of these work, when logging it still asks me for my password, when asked for the password and giving it null three times it returns without asking for rsa passphrase. I think this has to do with another setting in my config file, or the config file is not being read by the deamon.
This is my config file:

```
#       $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#       $FreeBSD: release/9.0.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20110503

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
```
and there are no flags set on the sshd deamon in /etc/rc.conf


----------



## kpa (Aug 12, 2012)

Set ChallengeResponseAuthentication to no.


----------



## ThunderWolf (Aug 12, 2012)

Sorry that was not all of the config file, but here is all of it:

```
#	$OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#	$FreeBSD: release/9.0.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20110503

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Disable HPN tuning improvements.
#HPNDisabled no

# Buffer size for HPN to non-HPN connections.
#HPNBufferSize 2048

# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
#TcpRcvBufPoll yes

# Allow the use of the NONE cipher.
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
```


----------



## ThunderWolf (Aug 12, 2012)

Thank you kpa that solved the password problem, but it still is not asking me for my rsa pass-phrase! Again Thanks for the fast response.


----------



## kpa (Aug 12, 2012)

How are you connecting to the ssh server? On some systems the rsa key is automatically unlocked when you login, OS X does that for example if you select to save the password for the key on first use.

If you're on UNIX (-like) system or OS X you can run
`$ ssh-add -l`

to check if your key is already unlocked and held by the ssh key agent.


----------



## ThunderWolf (Aug 12, 2012)

I am using Fedora 17 Linux as the client and freebsd as the server. sshd-add has no stored identities, but I added my passphrase just to see and it didn't work. It should ask for my pass-phrase.


----------



## ThunderWolf (Aug 12, 2012)

I think I should add that this is returned when trying to login:

```
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
```
this could be a file permission somewhere. I have checked the clients ~/.ssh/id_rsa.pub file which is readable by all and all of the servers ~/.ssh/* files are 777.


----------



## kpa (Aug 12, 2012)

I think sshd(8) gets paranoid if the ~/.ssh/* files have write permissions to group or world, I'd do

`$ chmod 640 ~/.ssh/*.pub ~/.ssh/authorized_keys ~/.ssh/known_hosts ~/.ssh/config`

If you have any private key files on the server make them only user read/writeable

`$ chmod 600 ~/.ssh/id_rsa`

/var/log/auth.log may reveal more information why the server rejects your key.


----------



## ThunderWolf (Aug 12, 2012)

I changed the permissions and had a look at the log file, but all I found in the logs was a complaint about ~/.login_conf being world writable, so I changed it to 600.
This is my logs file:

```
Aug 11 22:23:22 bishop0 newsyslog[944]: logfile first created
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on :: port 22.
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on 0.0.0.0 port 22.
Aug 11 22:23:46 bishop0 sshd[1317]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:47 bishop0 sshd[1317]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:49 bishop0 last message repeated 2 times
Aug 11 22:23:50 bishop0 sshd[1322]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:51 bishop0 sshd[1322]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:52 bishop0 last message repeated 2 times
Aug 11 22:23:53 bishop0 sshd[1327]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:57 bishop0 sshd[1327]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36631 ssh2
Aug 11 22:24:03 bishop0 su: BAD SU user to root on /dev/pts/0
Aug 11 22:24:13 bishop0 su: user to root on /dev/pts/0
```
, but I clean it up first with rm.


----------



## ThunderWolf (Aug 12, 2012)

This is the log file after ChallengeResponseAuthentication is set to no:

```
Aug 11 22:23:22 bishop0 newsyslog[944]: logfile first created
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on :: port 22.
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on 0.0.0.0 port 22.
Aug 11 22:23:46 bishop0 sshd[1317]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:47 bishop0 sshd[1317]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:49 bishop0 last message repeated 2 times
Aug 11 22:23:50 bishop0 sshd[1322]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:51 bishop0 sshd[1322]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:52 bishop0 last message repeated 2 times
Aug 11 22:23:53 bishop0 sshd[1327]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:57 bishop0 sshd[1327]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36631 ssh2
Aug 11 22:24:03 bishop0 su: BAD SU user to root on /dev/pts/0
Aug 11 22:24:13 bishop0 su: user to root on /dev/pts/0
Aug 11 22:29:06 bishop0 sshd[1330]: Received disconnect from 192.168.0.7: 11: disconnected by user
Aug 11 22:29:09 bishop0 sshd[1343]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:29:10 bishop0 sshd[1343]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:29:11 bishop0 last message repeated 2 times
Aug 11 22:29:13 bishop0 sshd[1348]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:29:18 bishop0 sshd[1348]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36634 ssh2
Aug 11 22:29:32 bishop0 su: user to root on /dev/pts/0
```


----------



## kpa (Aug 12, 2012)

Your home directory has some funny permissions or it's not owned by you. 
`# chmod 755 /usr/home/user`
`# chown user /usr/home/user`
`# chgrp user /usr/home/user`


----------



## ThunderWolf (Aug 12, 2012)

I changed the permissions of my home dir, but same thing, so I changed it back to 777 for a temp fix for nfs lol. I own the home dir and it belongs to my group.


----------



## J65nko (Aug 12, 2012)

For password-less ssh access, you only have to copy your public key from your workstation home dir to the authorized_keys in your home dir on the server. You do not need to mess around with the ssh config file of the server at all.

See Howto: Setting up public key password-less 'ssh' access


----------



## ThunderWolf (Aug 13, 2012)

I been using ssh for quite a while on other systems and have always had to modify the sshd_config file. I remember after copying the pub files contents to the clients authorized_keys file trying to login and being asked for my password. I want disable password and be asked for pass-phrase, but thanks for the reply anyways.


----------



## wblock@ (Aug 13, 2012)

The server does not ask for your passphrase, that's local.  Usually handled by ssh-agent(1).


----------



## ThunderWolf (Aug 13, 2012)

I have checked all file permissions in the ~/.ssh dirs on both client and server, but everything is what it should be.

I am thinking that since *sshd* ran on the first boot and made it own encryption keys, that when I ran:

```
ssh-keygen -t rsa
```
it may have screwed things up.


----------



## kpa (Aug 13, 2012)

Those are host keys that are created on the first run of sshd(8). Create a new key on the client that has a password and add the public key to  authorized_keys on the server, does it get rejected the same way?


----------



## ThunderWolf (Aug 13, 2012)

I think I have been pulling us away form the real problem sorry. It is not rejecting the public key, but is just is not asking for it.


----------



## phoenix (Aug 14, 2012)

Did you specify the key file to use on the command-line? If not, try that. That will tell you if the key is created correctly, and the public side is set on the server correctly:
`$ ssh -i /path/to/key/file -l username server.to.connect.to`

If that works, then you need to check ~username/.ssh/config and/or /etc/ssh/ssh_config to make sure it's asking for the right key file.


----------



## Jsanchez (Aug 14, 2012)

I'll show you my configuration which works as you want.

*Server /etc/sshd_config*

```
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
```

*SSH Client ~/.ssh/config*

```
Host example
        HostName 10.0.0.1
        Port 22
        User luser
        DynamicForward 9999
        IdentityFile /home/jsanchez/.ssh/private-key
```
private-key being the key generated by the client, not the public one.
and the public generated one, should be added to ~/.ssh/authorized_keys on server user account.


----------



## robbak (Aug 14, 2012)

> Aug 11 22:29:09 bishop0 sshd[1343]: Authentication refused: bad ownership or modes for directory /usr/home/user



That is the line about the public/private key authentication attempt: It failed, because of permission errors. If your home directory is 777, then it will fail!
You stated that you had set it, but did not have success. What was the error message when you had the home directory's permission fixed? 755 user:user (assuming 'user' is your actual username: un-anonymize it if it isn't!) is what it is for me, some use 0x750 or less even more strict.


----------

