# sshd "PasswordAuthentication no" has no effect



## klu (Feb 4, 2018)

Hi I'm trying to disable password login for all users except one, "foo". That way, for example, I can login as "bar" with public key but not password. And I can login as "foo" with password.

I tried this config:


```
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
Match all

# restart sshd afterwards
```

However, I still can login as "bar" with password!!!

Then, I tried this config:


```
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
    ChallengeResponseAuthentication no
Match all
```

Unfortunately, ChallengeResponseAuthentication cannot be inside a Match block

If I move ChallengeResponseAuthentication no outside:


```
ChallengeResponseAuthentication no
AllowUsers foo bar
Match User !foo
    PasswordAuthentication no
Match all
```

Then ssh disabled password login for EVERYBODY, including "foo".

*So, my dilemma is - I want to disable password login for everyone except user "foo". How can I do this?*


----------



## chrbr (Feb 4, 2018)

Dear Kay,
please see passwd(5).

```
A password of ‘*’ indicates that password authentication is disabled for
     that account (logins through other forms of authentication, e.g., using
     ssh(1) keys, will still work).  The field only contains encrypted
     passwords, and ‘*’ can never be the result of encrypting a password.
```
I am not sure if this can be accomplished using vipw(8) or so. At least this is a pointer.


----------



## Eric A. Borisch (Feb 4, 2018)

I don’t see the rest of your config, but PasswordAuthentication is no by default if not set in sshd_config(5). Perhaps:


```
Match user foo
  PasswordAuthentication yes

# and just to remind yourself
PasswordAuthentication no
```

The setting of a variable is sticky — first set wins — so foo will have “yes” and everyone else will have “no”. Recall that ChallengeResponse + PAM can still (depending on PAM config) allow password authentication.

Setting the password to * will also allow you to preclude password authentication for those users, but this will be for all login methods (including console) if that is relevant to your situation.


----------



## sko (Feb 5, 2018)

IIRC the "PasswordAuthentication" is by default overridden by "UsePAM", so it has no effect (and is therefore already set to "no" by default).

Either go with the already mentioned way of using '*' as a password to disable password-authentication completely for these users, or have a look at the "AuthenticationMethods" option in sshd_config(5).


----------



## klu (Feb 5, 2018)

Thanks guys! I'll take those back and experiment with the options!


----------



## joancatala (Sep 12, 2018)

This is an old post, but I wanted to write the solution to Kay

Edit the file /etc/ssh/sshd_config

Configure this three lines:

```
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
```

Now restart SSH server:

```
# sh /etc/rc.d/sshd restart
Restarting sshd.
```

And that's all. You won't be able to SSH with user/password anymore. Use a certificate authentication, is more secure.


----------



## utkonos (Dec 8, 2022)

If anyone arrives here in 2022 on, the configuration file syntax for OpenSSH has changed. The last reply above still works, but `ChallengeResponseAuthentication` is deprecated. The current config entry is now `KbdInteractiveAuthentication`. Therefore, everything the same as above, but the lines in `sshd_config` should now be the following:


```
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
```

See the note in the man page for more info:


			sshd_config(5) - OpenBSD manual pages


----------

