Disable interactive SSH at user-level
Solution 1
If you have absolutely no control over the server, I don't see a way of doing this, as you don't control server settings, which is where this would have to be.
What you'd need to do is add this to the /etc/ssh/sshd_config file:
PasswordAuthentication no
Now, this would effectively disable password authentication for all users, which may be undesirable. What you could do then, is put this configuration directive in a Match block, so it only applies to your user, in the same config file:
Match user yourusername
PasswordAuthentication no
If you could get the server's admin to do this for you, it might be the way to go.
One other way is to set a really long, random and complicated password for your user, that way you're reasonably protected from random brute-force break-in attempts. Most attackers would likely be using some dictionary-based technique so as long as your password is long and random enough, it should be quite safe.
See "man sshd_config" for more details. Also, the solution I propose was suggested here.
Solution 2
You just need to edit this line from file /etc/ssh/sshd_config
from yes
to no
:
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
Related videos on Youtube
Rainmaker
Scientist. Developer. Tinkerer. I develop high-performance algorithms for investigating big data problems, especially those involving graphs. My background is in computational science, physics, and ecology.
Updated on September 18, 2022Comments
-
Rainmaker over 1 year
I connect to a server I don't control via SSH.
I use public key access and don't need to be able to connect with a keyboard-interactive password.
I would like to disable keyboard-interactive access to my user so that there is no way for others to hack in this way.
Since I don't control the server, is there a way to set up my user's config file to prevent keyboard-interactive access?
-
Rainmaker over 12 yearsThis is helpful, but I do not believe that this would "have" to be done in the server settings, as you say. It is clear that when I use public-key authentication, the SSH daemon is checking the public key against a file in my user directory. There is no reason to believe that the server could not, in principle, check a user config file for appropriate actions to take regarding keyboard-interactive logins. Whether or not SSHD implements this, I do not know.
-
Rainmaker over 12 yearsIndeed, the "KbdInteractiveAuthentication" and possibly the "ChallengeResponseAuthentication" settings in the "~/.ssh/config" file seem relevant, though I have not yet succeeded in getting them to work.
-
h3. over 12 years@Richard
~/.ssh/config
is only read by the client, not by the server. Sure, the server could, in principle, check a file in your home directory to check whether you want to allow password authentication. But it doesn't. In fact, sshd allows password logins even if your home directory doesn't exist; this can be a lifesaver in some circumstances, such as a hosed/home
filesystem. The simple way to prevent others from logging in with your password is not to use a weak or reused password. -
noleti almost 10 years+1 for strong random password. I assume your current setup is such that you don't need to ever enter the account password? I usually use
pwgen 20
or similar to generate a strong random string. Be sure to write down the password somewhere for backup. -
Rainmaker about 8 yearsThat is not a user level setting.