[SOLVED] SSH password authentication disabled but still works

[zangetsu]

I have a laptop with the latest version of Linux Mint on it and I want to connect to it through SSH.
Hence, I installed on it openssh-server. On the other laptop I generated a public SSH-key and successfully copied it in the "server". Then, on the server, I disabled password authentication and reloaded and restarted the ssh daemon through sudo systemctl restart ssh && sudo systemctl reload ssh... however the authentication phase still prompts the password!
I also rebooted the laptop and added some other prohibitions in the /etc/ssh/ssh_config file because I found online some guides that state that just disabling password authentication is not enough.
Finally, the key based authentication still does not work, the authentication still prompts the password, and here it is how the /etc/ssh/ssh_config file looks now:

Code: Select all

   1   │
   2   │ # This is the ssh client system-wide configuration file.  See
   3   │ # ssh_config(5) for more information.  This file provides defaults for
   4   │ # users, and the values can be changed in per-user configuration files
   5   │ # or on the command line.
   6   │
   7   │ # Configuration data is parsed as follows:
   8   │ #  1. command line options
   9   │ #  2. user-specific file
  10   │ #  3. system-wide file
  11   │ # Any configuration value is only changed the first time it is set.
  12   │ # Thus, host-specific definitions should be at the beginning of the
  13   │ # configuration file, and defaults at the end.
  14   │
  15   │ # Site-wide defaults for some commonly used options.  For a comprehensive
  16   │ # list of available options, their meanings and defaults, please see the
  17   │ # ssh_config(5) man page.
  18   │
  19   │ Include /etc/ssh/ssh_config.d/*.conf
  20   │
  21   │ Host *
  22   │ #   ForwardAgent no
  23   │ #   ForwardX11 no
  24   │ #   ForwardX11Trusted yes
  25   │     PasswordAuthentication no
  26   │     ChallengeResponseAuthentication no
  27   │     UsePAM no
  28   │     PermitRootLogin prohibit-password  # also tried "no"
  29   │ #   HostbasedAuthentication no
  30   │ #   GSSAPIAuthentication no
  31   │ #   GSSAPIDelegateCredentials no
  32   │ #   GSSAPIKeyExchange no
  33   │ #   GSSAPITrustDNS no
  34   │ #   BatchMode no
  35   │ #   CheckHostIP yes
  36   │ #   AddressFamily any
  37   │ #   ConnectTimeout 0
  38   │ #   StrictHostKeyChecking ask
  39   │ #   IdentityFile ~/.ssh/id_rsa
  40   │ #   IdentityFile ~/.ssh/id_dsa
  41   │ #   IdentityFile ~/.ssh/id_ecdsa
  42   │ #   IdentityFile ~/.ssh/id_ed25519
  43   │ #   Port 22
  44   │ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
  45   │ #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
  46   │ #   EscapeChar ~
  47   │ #   Tunnel no
  48   │ #   TunnelDevice any:any
  49   │ #   PermitLocalCommand no
  50   │ #   VisualHostKey no
  51   │ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  52   │ #   RekeyLimit 1G 1h
  53   │ #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
  54   │     SendEnv LANG LC_*
  55   │     HashKnownHosts yes
  56   │     GSSAPIAuthentication yes

[vimes666]

Maybe you also have to make those changes in /etc/ssh/sshd_config?

[zangetsu]

Maybe you also have to make those changes in /etc/ssh/sshd_config?

now I understand why at the beginning of /etc/ssh/ssh_config it is written "This is the ssh client system-wide configuration file."

So, now that I edited the right file, i.e., /etc/ssh/sshd_config, the problem has become that when I give the command ssh user@server_ip the answer that I receive is user@server_ip: Permission denied (publickey), despite the fact that in the server's ~/.ssh/authorized_keys file there is the public key of the client.

This is what /etc/ssh/ssh_config contains:

Code: Select all

   1   │ 
   2   │ # This is the sshd server system-wide configuration file.  See
   3   │ # sshd_config(5) for more information.
   4   │ 
   5   │ # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
   6   │ 
   7   │ # The strategy used for options in the default sshd_config shipped with
   8   │ # OpenSSH is to specify options with their default value where
   9   │ # possible, but leave them commented.  Uncommented options override the
  10   │ # default value.
  11   │ 
  12   │ Include /etc/ssh/sshd_config.d/*.conf
  13   │ 
  14   │ #Port 22
  15   │ #AddressFamily any
  16   │ #ListenAddress 0.0.0.0
  17   │ #ListenAddress ::
  18   │ 
  19   │ #HostKey /etc/ssh/ssh_host_rsa_key
  20   │ #HostKey /etc/ssh/ssh_host_ecdsa_key
  21   │ #HostKey /etc/ssh/ssh_host_ed25519_key
  22   │ 
  23   │ # Ciphers and keying
  24   │ #RekeyLimit default none
  25   │ 
  26   │ # Logging
  27   │ #SyslogFacility AUTH
  28   │ #LogLevel INFO
  29   │ 
  30   │ # Authentication:
  31   │ 
  32   │ #LoginGraceTime 2m
  33   │ #StrictModes yes
  34   │ #MaxAuthTries 6
  35   │ #MaxSessions 10
  36   │ PasswordAuthentication no
  37   │ ChallengeResponseAuthentication no
  38   │ PermitRootLogin prohibit-password
  39   │ PubkeyAuthentication yes
  40   │ 
  41   │ # Expect .ssh/authorized_keys2 to be disregarded by default in future.
  42   │ #AuthorizedKeysFile  .ssh/authorized_keys   .ssh/authorized_keys2
  43   │ 
  44   │ #AuthorizedPrincipalsFile none
  45   │ 
  46   │ #AuthorizedKeysCommand none
  47   │ #AuthorizedKeysCommandUser nobody
  48   │ 
  49   │ # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  50   │ #HostbasedAuthentication no
  51   │ # Change to yes if you don't trust ~/.ssh/known_hosts for
  52   │ # HostbasedAuthentication
  53   │ #IgnoreUserKnownHosts no
  54   │ # Don't read the user's ~/.rhosts and ~/.shosts files
  55   │ #IgnoreRhosts yes
  56   │ 
  57   │ # To disable tunneled clear text passwords, change to no here!
  58   │ #PasswordAuthentication yes
  59   │ #PermitEmptyPasswords no
  60   │ 
  61   │ # Change to yes to enable challenge-response passwords (beware issues with
  62   │ # some PAM modules and threads)
  63   │ KbdInteractiveAuthentication no
  64   │ 
  65   │ # Kerberos options
  66   │ #KerberosAuthentication no
  67   │ #KerberosOrLocalPasswd yes
  68   │ #KerberosTicketCleanup yes
  69   │ #KerberosGetAFSToken no
  70   │ 
  71   │ # GSSAPI options
  72   │ #GSSAPIAuthentication no
  73   │ #GSSAPICleanupCredentials yes
  74   │ #GSSAPIStrictAcceptorCheck yes
  75   │ #GSSAPIKeyExchange no
  76   │ 
  77   │ # Set this to 'yes' to enable PAM authentication, account processing,
  78   │ # and session processing. If this is enabled, PAM authentication will
  79   │ # be allowed through the KbdInteractiveAuthentication and
  80   │ # PasswordAuthentication.  Depending on your PAM configuration,
  81   │ # PAM authentication via KbdInteractiveAuthentication may bypass
  82   │ # the setting of "PermitRootLogin without-password".
  83   │ # If you just want the PAM account and session checks to run without
  84   │ # PAM authentication, then enable this but set PasswordAuthentication
  85   │ # and KbdInteractiveAuthentication to 'no'.
  86   │ UsePAM no
  87   │ 
  88   │ #AllowAgentForwarding yes
  89   │ #AllowTcpForwarding yes
  90   │ #GatewayPorts no
  91   │ X11Forwarding yes
  92   │ #X11DisplayOffset 10
  93   │ #X11UseLocalhost yes
  94   │ #PermitTTY yes
  95   │ PrintMotd no
  96   │ #PrintLastLog yes
  97   │ #TCPKeepAlive yes
  98   │ #PermitUserEnvironment no
  99   │ #Compression delayed
 100   │ #ClientAliveInterval 0
 101   │ #ClientAliveCountMax 3
 102   │ #UseDNS no
 103   │ #PidFile /run/sshd.pid
 104   │ #MaxStartups 10:30:100
 105   │ #PermitTunnel no
 106   │ #ChrootDirectory none
 107   │ #VersionAddendum none
 108   │ 
 109   │ # no default banner path
 110   │ #Banner none
 111   │ 
 112   │ # Allow client to pass locale environment variables
 113   │ AcceptEnv LANG LC_*
 114   │ 
 115   │ # override default of no subsystems
 116   │ Subsystem   sftp    /usr/lib/openssh/sftp-server
 117   │ 
 118   │ # Example of overriding settings on a per-user basis
 119   │ #Match User anoncvs
 120   │ #   X11Forwarding no
 121   │ #   AllowTcpForwarding no
 122   │ #   PermitTTY no
 123   │ #   ForceCommand cvs server

[zangetsu]

It looks that the last problem was caused by the ~/.ssh folder having wrong permissions... I solved it by doing chmod 700 ~/.ssh.

[vimes666]

Leaves me wondering why ~/.ssh wasn't 700...

[zangetsu]

Leaves me wondering why ~/.ssh wasn't 700...

Probably because it was manually copied from an external NTFS HDD to the home directory

[vimes666]

Fair enough