How do I setup sshd on Mac OS X to only allow key-based authentication?
13,075
Solution 1
After a little trial and error, I found the answer myself. These options need to be set in /etc/sshd_config
:
PasswordAuthentication no
ChallengeResponseAuthentication no
Only changing one of them is not enough.
Solution 2
In /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here! Also,
# remember to set the UsePAM setting to 'no'.
#PasswordAuthentication yes
#PermitEmptyPasswords no
Set PasswordAuthentication to no and remove the # before it.
Author by
Christian Berg
Updated on September 17, 2022Comments
-
Christian Berg almost 2 years
I have a Mac OS X machine (Mac mini running 10.5) with Remote Login enabled. I want to open the sshd port to the Internet to be able to login remotely.
For security reasons I want to disable remote logins using passwords, allowing only users with a valid public key to login.
What is the best way to set this up in Mac OS X?
-
Christian Berg over 14 yearsThis is not working, I can still login with my password. The logfile /var/log/secure.log contains an entry like this: sshd[16306]: Accepted keyboard-interactive/pam for christian from 192.168.178.20 port 63841 ssh2 I believe the PasswordAuthentication option only controls clear-text password logins, not keyboard-interactive?
-
user21715 over 14 yearsDid you read the comment above about setting UsePAM to 'no'?
-
Christian Berg over 14 yearsThat doesn't seem to be necessary (see my own answer).
-
yorch over 8 yearsIn El Capital (and probably in Mavericks as well), the location changed to
/etc/ssh/sshd_config
instead of just/etc/sshd_config
-
the_real_one over 5 yearsThat was the fix. A LOT of online resources do not mention the key to this whole thing:
ChallengeResponseAuthentication no
.