SSH: can't turn off password authentication


My YunoHost server

Hardware: Old laptop or computer
YunoHost version:
$ sudo yunohost tools versions
repo: testing
repo: testing
repo: stable
version: 11.0.9
repo: stable
version: 11.0.9

I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:

Description of my issue

I had to change SSH to password authentication to add a new computer’s SSH key. Then I tried changing it back, but it still shows a password prompt. It even shows a password prompt for users that aren’t in the admin group.

I used the webadmin to turn off passwords.

I also tried the CLI way:

$ sudo yunohost settings set security.ssh.password_authentication -v no
[sudo] password for elias: 
Info: Saving the new configuration...
Success! Config updated as expected

I even restarted SSH in case that’s necessary.

$ sudo yunohost service restart ssh
Success! Service 'ssh' restarted

But then I try to login with a user that isn’t in the admin and it gets a password prompt.

$ ssh
Debian GNU/Linux 10's password:

User bob is not in the admin group.

cf Disable password auth not working in Webadmin · Issue #2108 · YunoHost/issues · GitHub

Just one more question, I see you marked it solved so I will assume that the CLI command hooks up with the Webadmin stuff.

I am still confused why the user bob, who isn’t in the admins group, even sees an ssh password prompt. Shouldn’t ssh immediately stop the login?

PS also my apologies, I totally forgot to check Github before posting this issue.

No, that’s the perfectly usual behavior … this is designed to prevent attackers from easily guessing what username exist on a system, same reason why usually when you try to login on a website and your mistype your password, the website will display the same message as if you mistyped the login (something like “The crendentials are incorrect”, not explicitly “The login is incorrect” or “The password is incorrect”), to not “leak” the info that your account exists (or same stuff for “reset my password”, usually the website tells you “IF this email address exists in our system, we will send a recovery password email”)

Ok thank you for explaining that. I was just wondering if something was misconfigured.

As always, thank you for taking the time to answer forum posts and support questions.

Happy Holidays!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.