Key-based SSH authentication
William O'Higgins Witteman
william.ohiggins-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Mon Nov 20 15:13:33 UTC 2006
On Mon, Nov 20, 2006 at 08:57:28AM -0500, G. Matthew Rice wrote:
>William O'Higgins Witteman <william.ohiggins-H217xnMUJC0sA/PxXw9srA at public.gmane.org> writes:
>> The thing is, once I have set up key-based authentication, I am
>> going to want to disable password-based authentication. I'm not quite
>> sure how to do that, and it would make me very sad if I locked myself
>> out by mistake. I am using Debian testing and OpenSSH_4.3p2. Thanks.
>
>Leave an ssh session open and su'ed to root then change the setting:
>
> PasswordAuthentication
>
>to 'no' in /etc/ssh/sshd_config. Then restart sshd (probably in that ssh
>session I mentioned above).
>
>Also, I've started doing some short talks (5-10 minutes) at each NewTLUG
>meeting. The next one is going to be an SSH primer.
Thanks to all. Due to the lengthy delay in TLUG mail over the last few
days, I managed to trial and error my way through this.
Changing PasswordAuthentication to "no" doesn't work, because it has
always been set to "no". I had to change ChallengeResponseAuthentication
to "no" for the server to stop asking for a password if no key was
provided. Now I have two-factor authentication with a key on a USB
device and a passphrase in my head, and my logs are no longer filled
with user $FOO not on AllowUsers list entries.
The advice to open up a second session to use as a bail-out was
essential - I didn't realize that an SSH session will persist even when
you restart the daemon. Neat.
--
yours,
William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://gtalug.org/pipermail/legacy/attachments/20061120/97be6635/attachment.sig>
More information about the Legacy
mailing list