Bug 1855095 - PasswordAuthentication not being used properly
Summary: PasswordAuthentication not being used properly
Keywords:
Status: POST
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: system-administrator's-guide
Version: devel
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Petr Bokoc
QA Contact: Fedora Docs QA
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-08 23:41 UTC by Patrick Johnston
Modified: 2020-07-14 10:13 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Johnston 2020-07-08 23:41:52 UTC 
Description of problem:
So as per the F32 Docs in order to disable Password Authentication, you edit sshd_config and set PasswordAuthentication no
Then you restart sshd

However, after restart if you issue ssh username@host -o PubkeyAuthentication=no
from client to verify that password authentication is disabled, you still are prompted to enter password.

Version-Release number of selected component (if applicable):
openssh-server.x86_64 8.3p1-3.fc32

How reproducible:
Can reproduce on fresh installs on both bare metal and VMs

Steps to Reproduce:
1. vim sshd_config and set PasswordAuthentication no
2. systemctl restart sshd
3. (from client) ssh username@host -o PubkeyAuthentication=no

Actual results:
Prompts for password authentication

Expected results:
Should get on client this prompt
username@host: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Additional info:
I did find a workaround.  If you edit sshd_config with following
Match User username
    PasswordAuthentication no

Then you obtain expected results, but that means on multi-user system would have to edit sshd_config everytime you add users
Comment 1 Jakub Jelen 2020-07-13 11:04:58 UTC 
That sounds like a documentation issue. Please, update the bug with the appropriate documentation where you found this note.

The sshd_config now uses drop-in directory and /etc/ssh/sshd_config.d/50-redhat.conf, which is loaded before anything you modify in sshd_config directly.

Suggested solution is not to modify shipped configuration file, but create your own file /etc/ssh/sshd_config.d/30-local.conf (for example), which will get loaded before the distribution defaults.
Comment 2 Patrick Johnston 2020-07-13 17:45:27 UTC 
https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/infrastructure-services/OpenSSH/

This is the documentation that I was referring to previously.
And thank you for the suggested solution, have already made correction and now is working as intended.
Comment 3 Jakub Jelen 2020-07-14 07:21:07 UTC 
Thanks. Reassigned to the correct guide. I will try to get it updated accordingly.
Comment 4 Jakub Jelen 2020-07-14 10:13:38 UTC 
I filled the PR fixing several more issues that I noticed in the SSH section of the guide:

https://pagure.io/fedora-docs/system-administrators-guide/pull-request/54

Review and feedback welcomed.
Note You need to log in before you can comment on or make changes to this bug.