5

I’ve asked some web hosting providers (Bluehost and Dreamhost) and they both said that on shared hosting accounts they have no way to disable login via SSH with a password. What this means is that even if we set up SSH keys, logging in without them and via the hosting’s password will always be enabled, pretty much negating most of the advantage for the keys.

From what I can find online, editing /etc/ssh/sshd_config is the way to go do disable login via a password, but since it’s shared hosting, that’s not a possibility.

All that said, they never claimed it can’t be done (though I haven’t found a way), just that they don’t support it. Is there a way to do it on a per-user basis, so that I can set it up myself? And if not, why not, what is the (technical/design) limitation in the way SSH works that prevents it?

user137369
  • 1,080

3 Answers3

3

[Is there a way to] disable SSH login via password on a per-user basis?

No. Generally.

what is the (technical/design) limitation in the way SSH works that prevents it?

There is noting in the SSH protocol design or specification that prevents this.

It is an implementation-specific restriction in the SSH daemon (or service)

The usual sshd program on Linux (etc) platforms was written to read a single configuration file that applies to all users of that instance of the program.

I believe it would be possible to write an SSH daemon that looks for a supplementary configuration file in a user's home directory (for example). However this has not been done (insufficient demand probably)

Is there anything approximately equivalent?

What you can do is set the user's login password to some extremely long and completely random string.

It might be possible to use the shell to set a password that contains characters that cannot be entered using SSH clients of the sort believed to be used by attackers. Or at least to set a password that is much longer than any they are likely to attempt using the usual dictionary-based approaches.

Community
  • 1
RedGrittyBrick
  • 85,717
-1

SSH DOES support this function, and its quite trivial to implement - as others have said, it needs the co-operation of your provider. You would do it by setting up a user account without a valid password (On my distro you can do this by failing to enter a password a few times on adduser, but you can always edit /etc/shadow and change the encrypted password to "*" or "!" - as many accounts will already be set up.

The second step is to install your public key in authorised_hosts - this negates the need for ssh to check your password to give you access.

davidgo
  • 73,366
-1

With the OpenSSH server, to disable password authentication on a per-user basis, you would add these lines to the sshd_config file:

Match user someuser
PasswordAuthentication no

Refer to the sshd_config manual for details. After editing sshd_config, be sure to restart sshd.

Kenster
  • 8,620