I’m using ssh. I’m using 2 linux pc’s: a host and a client using suse 10.3. Like it should, when I copy the client’s public key to the hosts authorized_keys file, the client is prompted to enter a passphrase upon attempting to ssh into the host. The problem is that when the client public key HAS NOT been copied to the hosts authorized_keys file, instead of being denied access to the host like it should, the client is then prompted to enter the hosts linux password and is granted access to the host upon entry of the linux password. Whats wrong with the settings on my SSH host? Why isn’t my host rejecting clients whose public key is not in its authorized_keys file?
That’s not how authorized_keys works.
The authorized_keys file is used so you don’t have to enter a pw.
Otherwise, if the authorized_keys file is not there, when you connect to a host it will ask for a pw.
If you have copied the id_dsa.pub file, from host1 into the authorized_keys file on host2, then you can connect from host1 to host2 without entering a pw. Otherwise, you will be prompted to enter a pw.
bb
Thread moved to Network/Internet
As explained by the second poster, authorized_keys is to enable authentication by public key. It does not prevent authentication by password, that’s a separate method. A ssh connection will try all allowed methods until one succeeds. So if you want to prevent authentication by password, you have to turn that method off at the server. The directive is
UsePAM no
This is because the obvious one PasswordAuthentication is already set to no in OpenSUSE and UsePAM is the one in use. But if you do this, then every client has to use key authentication. I’ve always considered that it would be nice if sshd could offer different combinations of permitted methods depending on which IP address the client is coming from, or which interface the connection is using. But you have to run distinct sshd servers if you want to do that. Anyway I digress.
BTW it’s not true that using a public key means you cannot have a password. You can specify a password for the public key. However the password is to unlock the private part of the key at the client end, and the server has nothing to do with it. You can even change the unlock password at the client anytime you like without reference to the server.
Thanks bbendily!
As explained by the second poster, authorized_keys is to enable authentication by public key. It does not prevent authentication by password, that’s a separate method. A ssh connection will try all allowed methods until one succeeds. So if you want to prevent authentication by password, you have to turn that method off at the server. The directive is
Ken_yap, I set UsePam to ‘no’ and now my problem is solved. You’re explanation cleared up a lot for me. In all the ssh tutorials I’ve read, none of them spell that out so clearly. Thanks!!!