D. Hoffmann

Q: How-to: Disable ssh password authentication and enable private key authentication

I have looked around the Web to find clear instructions on how to edit the sshd_config file, so that the sshd process will refuse password authentication and instead use a private-key-public-key pair authentication. I have since figured it out and wanted to document this here. Documentation on how to generate an ssh private-key-public-key pair is available elsewhere, and so is where on the host and client to store the private and public keys to make it work. This is merely about what configuration parameters must be set in sshd_config.

 

I have found the sshd_config file in two locations on Macs running El Capitan: /etc/sshd_config and /etc/ssh/sshd_config. I am not sure, why this is not uniform.

 

The options that must be set are

 

RSAAuthentication yes

PubkeyAuthentication yes

PasswordAuthentication no

ChallengeResponseAuthentication no

UsePAM no

 

Once the file has been edited, sshd must be restarted.

 

One way to do it is by issuing the command

 

sudo launchctl stop com.openssh.sshd

 

Inviting comments, especially suggestions for improvements.

MacBook Pro, OS X El Capitan (10.11.3), null

Posted on Mar 9, 2016 10:39 AM

Close

Q: How-to: Disable ssh password authentication and enable private key authentication

  • All replies
  • Helpful answers

  • by To_Mi,

    To_Mi To_Mi Mar 9, 2016 11:36 AM in response to D. Hoffmann
    Level 2 (351 points)
    iLife
    Mar 9, 2016 11:36 AM in response to D. Hoffmann

    Just for your info.

    I have found the sshd_config file in two locations on Macs running El Capitan: /etc/sshd_config and /etc/ssh/sshd_config. I am not sure, why this is not uniform.

    On my Macs with El Capitan ( 10.11.3 ) have only one sshd_config.

    # ls -li /etc/sshd_config* /etc/ssh/sshd_config*

    60834745 -rw-r--r--@ 1 root  wheel  4189  1 16 21:17 /etc/ssh/sshd_config

    45703514 -rw-r--r--@ 1 root  wheel  4156  9 23 19:23 /etc/ssh/sshd_config~previous

    22856131 -rw-r--r--  1 root  wheel  4062  9 10  2014 /etc/sshd_config~previous

    And, "man sushi" says /etc/ssh/sshd_config is the default.

         -f config_file

                 Specifies the name of the configuration file.  The default is

                 /etc/ssh/sshd_configsshd refuses to start if there is no con-

                 figuration file.

    I have no sure idea why you have two. Possibly, one in /etc is leftover from old version of OS X.

  • by D. Hoffmann,

    D. Hoffmann D. Hoffmann Mar 9, 2016 12:03 PM in response to To_Mi
    Level 1 (27 points)
    Mac OS X
    Mar 9, 2016 12:03 PM in response to To_Mi

    I didn’t express myself clearly enough.

     

    On some systems I have found the sshd_config file in /etc/ and on some in /etc/ssh/. You are right, however, that on all my El Capitan systems it is in /etc/ssh/. On the two Snow Leopard systems I still have it is in /etc/.

  • by To_Mi,

    To_Mi To_Mi Mar 9, 2016 12:45 PM in response to D. Hoffmann
    Level 2 (351 points)
    iLife
    Mar 9, 2016 12:45 PM in response to D. Hoffmann

    On Yosemite, as I checked, it is in the same /etc/ssh/ as El Capitan. However, as your SL macs, my Lion have it in /etc, even man says the default as under /etc/ssh.

    Seemingly, Apple made own modification for sshd on earlier OS X.

    On Yosemite and El Capitan

    $ strings /usr/sbin/sshd | egrep sshd_config

    /etc/ssh/sshd_config

    On Lion

    $ strings /usr/sbin/sshd | egrep sshd_config

    /etc/sshd_config

    Snow Leopard (on backup volume)

    $ strings /Volumes/Macintosh\ HD/usr/sbin/sshd | egrep sshd_config

    /Volumes/Macintosh HD/usr/sbin/sshd:/etc/sshd_config

    /Volumes/Macintosh HD/usr/sbin/sshd:The SupportSACL option (used in /etc/sshd_config) has been depreciated in favor of service ACL enforcement in sshd's PAM configuration (/etc/pam.d/sshd).