When configuring SSH for public-key authentication only, you'd expect password authentication to be completely disabled. However, some administrators find their systems still accepting password logins despite proper configuration. This typically occurs due to one of these scenarios:
- SSH daemon loading incorrect configuration files
- Conflicting settings in multiple configuration files
- Permission issues with key files
- Outdated SSH server version with different syntax
First, let's confirm the actual running configuration. The sshd process might be reading a different config file than you modified:
sudo sshd -T | grep -i passwordauthentication
sudo sshd -T | grep -i challengeresponse
Ensure you're modifying the correct files. For Ubuntu systems:
Primary server config: /etc/ssh/sshd_config
Client config (irrelevant for server auth): /etc/ssh/ssh_config
Include directories: /etc/ssh/sshd_config.d/*.conf
Here's a definitive configuration to enforce public-key only authentication:
# /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
AuthenticationMethods publickey
PubkeyAuthentication yes
Run sshd in debug mode to see exactly what's happening:
sudo /usr/sbin/sshd -d -p 2222
Then connect with:
ssh -v -p 2222 user@localhost
Case 1: PAM overriding SSH settings
Solution: Disable PAM in sshd_config with UsePAM no
Case 2: Multiple authentication methods enabled
Solution: Explicitly set AuthenticationMethods publickey
Case 3: Configuration in included files
Solution: Check /etc/ssh/sshd_config.d/*.conf for overrides
After making changes, verify with:
# Check syntax
sudo sshd -t
# Restart service properly
sudo systemctl restart ssh
# Verify running config
sudo grep PasswordAuthentication /etc/ssh/sshd_config
sudo netstat -tulnp | grep sshd
For complex environments, use Match blocks to apply different authentication methods:
Match User admin
AuthenticationMethods publickey
Match Group developers
AuthenticationMethods publickey,keyboard-interactive
Many administrators encounter this puzzling scenario: After explicitly configuring sshd_config to only accept public-key authentication by setting:
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
SSH still mysteriously accepts password logins. This happens because Ubuntu's SSH package often includes additional authentication methods through PAM (Pluggable Authentication Modules).
Here's the full set of directives needed in /etc/ssh/sshd_config:
# Core authentication settings
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
AuthenticationMethods publickey
# Additional hardening
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
After modifying the config, always validate the syntax before restarting:
sudo sshd -t && sudo systemctl restart ssh
On Ubuntu systems, PAM can override SSH authentication settings. Check /etc/pam.d/sshd for lines like:
@include common-auth
@include common-account
@include common-session
These include standard password authentication modules. To disable, either:
- Set
UsePAM noinsshd_config(recommended) - Or modify the PAM config to exclude password methods
Test your configuration from another terminal:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
This should fail with "Permission denied" if properly configured.
When troubleshooting, use verbose SSH output:
ssh -vvv user@host
Look for these key indicators in the output:
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
If you see password in the authentication methods list, the configuration isn't fully applied.
On modern Ubuntu systems using systemd, ensure you're restarting the proper service:
sudo systemctl restart sshd
Some implementations use:
sudo systemctl restart ssh
Check your specific version with:
systemctl list-unit-files | grep ssh