SSH Debian – Should `#PubkeyAuthentication yes` Be Commented Out in sshd_config?

debianpublic-keyssh

Just setting up a new Debian 10 server having uploaded my public SSH keys, not restarted sshd yet.

I can now log in without password, so now doing all the usual recommended edits in /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
usePAM no
PermitRootLogin no
PasswordAuthentication no

BUT I'm wondering if leaving #PubkeyAuthentication yes commented out means "no setting" i.e. as some posts seem to indicate I can still SSH in pw-free without explicitly uncommenting this line?

Best Answer

man sshd_config will show you that yes is the default value for PubkeyAuthentication. So you can leave it commented out; it's the same as yes.

The stock sshd_config file also includes a comment at the top, saying that it comes with the default values present but commented out.

Related Solutions

SSH Tunneling – Only Access

Yes, just use /bin/false as shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the -N flag for OpenSSH):

ssh -N -L 1234:target-host:5678 ssh-host

SSH Authentication – Use Only Password and Ignore SSH Key

Try ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no host.example.org

In ssh v2, keyboard-interactive is another way to say "password". The -o PubkeyAuthentication=no option instructs the client not to attempt key pair authentication.

In addition, the PasswordAuthentication=yes option is to override any previously configured ssh options that may have disabled it.

Best Answer

Related Solutions

SSH Tunneling – Only Access

SSH Authentication – Use Only Password and Ignore SSH Key

Related Topic