When setting up a progressive security challenge system similar to OverTheWire's Bandit, many administrators encounter unexpected roadblocks with SSH password authentication. Here's what you need to know about configuring Ubuntu 18.04 for password-only SSH access.
Your current /etc/ssh/sshd_config needs these specific modifications:
# Disable public key authentication
PubkeyAuthentication no
# Enable password authentication
PasswordAuthentication yes
# Ensure PAM is enabled (default on Ubuntu)
UsePAM yes
# If you want to restrict password auth to certain users
Match User user1,user2,user3
PasswordAuthentication yes
Several factors could cause "invalid password" errors even with correct credentials:
- SELinux contexts: Run
restorecon -Rv /home/to fix file permissions - PAM restrictions: Check
/etc/security/access.conffor login restrictions - Password aging: Verify with
chage -l username - Home directory permissions: Ensure
chmod 755 /home/username
Here's a full working configuration for a challenge server:
# Create challenge users
for i in {1..18}; do
useradd -m -s /bin/bash user$i
echo "user$i:password$i" | chpasswd
chmod 755 /home/user$i
done
# Configure SSH
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^PubkeyAuthentication yes/PubkeyAuthentication no/' /etc/ssh/sshd_config
echo "AllowUsers user1 user2 user3 user4 user5 user6 user7 user8 user9 user10 user11 user12 user13 user14 user15 user16 user17 user18" >> /etc/ssh/sshd_config
systemctl restart sshdWhile this setup works for educational challenges, consider these hardening measures for production:
# Implement rate limiting
apt install fail2ban
# Configure basic firewall rules
ufw limit 22/tcp
ufw enable
# Monitor authentication attempts
grep 'Failed password' /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nrWhen setting up a capture-the-flag style progressive challenge similar to OverTheWire's Bandit, many admins encounter unexpected authentication issues. The default SSH configuration in Ubuntu 18.04 prioritizes key-based authentication, which can interfere with password-based challenge designs.
To enable password authentication, you'll need to modify these critical parameters in /etc/ssh/sshd_config:
# Disable key authentication temporarily
PubkeyAuthentication no
# Enable password authentication
PasswordAuthentication yes
# Ensure PAM is used for authentication
UsePAM yes
# Allow password logins for all users
PermitEmptyPasswords no
ChallengeResponseAuthentication no
For your progressive challenge structure, consider this user creation template:
for i in {1..18}; do
username="hacker$i"
password=$(openssl rand -hex 8)
sudo useradd -m -s /bin/bash $username
echo "$username:$password" | sudo chpasswd
echo "Password for hacker$((i+1)): $password" | sudo tee /home/$username/next_password.txt > /dev/null
sudo chown $username:$username /home/$username/next_password.txt
sudo chmod 600 /home/$username/next_password.txt
done
If you're still getting "invalid password" errors, check these:
sudo service ssh restartafter config changes- Verify SELinux/AppArmor isn't blocking PAM:
sudo aa-status - Check auth logs:
tail -f /var/log/auth.log - Test local login first:
su - username
While less secure than key-based auth, for controlled CTF environments you can implement rate limiting:
# Install fail2ban
sudo apt install fail2ban
# Create custom jail
echo "[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600" | sudo tee /etc/fail2ban/jail.d/sshd.local