Disable SSH login via password on a per-user basis

shared-hostingssh

I’ve asked some web hosting providers (Bluehost and Dreamhost) and they both said that on shared hosting accounts they have no way to disable login via SSH with a password. What this means is that even if we set up SSH keys, logging in without them and via the hosting’s password will always be enabled, pretty much negating most of the advantage for the keys.

From what I can find online, editing /etc/ssh/sshd_config is the way to go do disable login via a password, but since it’s shared hosting, that’s not a possibility.

All that said, they never claimed it can’t be done (though I haven’t found a way), just that they don’t support it. Is there a way to do it on a per-user basis, so that I can set it up myself? And if not, why not, what is the (technical/design) limitation in the way SSH works that prevents it?

Best Answer

[Is there a way to] disable SSH login via password on a per-user basis?

No. Generally.

what is the (technical/design) limitation in the way SSH works that prevents it?

There is noting in the SSH protocol design or specification that prevents this.

It is an implementation-specific restriction in the SSH daemon (or service)

The usual sshd program on Linux (etc) platforms was written to read a single configuration file that applies to all users of that instance of the program.

I believe it would be possible to write an SSH daemon that looks for a supplementary configuration file in a user's home directory (for example). However this has not been done (insufficient demand probably)

Is there anything approximately equivalent?

What you can do is set the user's login password to some extremely long and completely random string.

It might be possible to use the shell to set a password that contains characters that cannot be entered using SSH clients of the sort believed to be used by attackers. Or at least to set a password that is much longer than any they are likely to attempt using the usual dictionary-based approaches.

Related Solutions

Linux – Is there a way to log into a machine using SSH without password

Key-based authentication is the way to go. Not only is it easier than password auth when configured, but it is much more secure and is easily integrated into automated scripts. There is tons of literature out there on the subject -- to get you started:

https://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html

Linux – Can’t login through remote SSH with correct password

In the past the connection on my DSL has been slow and spurious to my server. Even after moving to a different host in a different country. At those times every other site I try works fine. Not sure if relevant.

Based on the debugging output of ssh -v you are showing — and your comment above which I think is relevant — I would recommend adjusting the sshd_config on your server like this; note that I like to use nano but feel free to use whatever text editor you prefer using.

First, open up the ssh_config file like this:

sudo nano /etc/ssh/sshd_config

There should be a configuration area called GSSAPI options that looks like this:

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Change that to uncomment the line that reads GSSAPIAuthentication no:

# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Finally, save that file and restart the SSH server daemon like this. To restart SSH on a RedHat/CentOS-based system do this:

sudo service sshd restart

To restart SSH on a Debian/Ubuntu-based system do this:

sudo service ssh restart

Now try logging in again. I would still recommend ssh -v for debugging purposes, but I believe this will clear things up.

Best Answer

Is there anything approximately equivalent?

Related Solutions

Linux – Is there a way to log into a machine using SSH without password

Linux – Can’t login through remote SSH with correct password

Related Question