Question about securing sshd by disallowing password login

[DominikHoffmann]

In the past, I have edited

/etc/ssh/sshd_config

by making sure that these lines are present:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Today, I came across a Stack Exchange post that referred to macOS updates returning

/etc/ssh/sshd_config

back to factory settings. It dates back to when Monterey was the current macOS. Is this still an issue with Ventura?

If so, how do we fix that?

 

[fivenotrump]

In the past, I have edited

/etc/ssh/sshd_config

by making sure that these lines are present:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Today, I came across a Stack Exchange post that referred to macOS updates returning

/etc/ssh/sshd_config

back to factory settings. It dates back to when Monterey was the current macOS. Is this still an issue with Ventura?

If so, how do we fix that?

Yes, this still happens with Ventura. I run a post-update script which restores my edits to /etc/ssh/sshd_config as well as some other stuff that is over-written by OS update.

 

[DominikHoffmann]

Yes, this still happens with Ventura. I run a post-update script which restores my edits to /etc/ssh/sshd_config as well as some other stuff that is over-written by OS update.

Would you mind posting your script here?

Do you know anything about what the Stack Exchange post says about editing

/etc/ssh/sshd_config.d/*.conf

? I don’t know what the wildcard “*” would stand for.

 

[fivenotrump]

Would you mind posting your script here?

Do you know anything about what the Stack Exchange post says about editing

/etc/ssh/sshd_config.d/*.conf

? I don’t know what the wildcard “*” would stand for.

/etc/ssh/sshd_config includes a line
Include /etc/ssh/sshd_config.d/*
(see the comments in /etc/ssh/sshd_config)
which means include all files under the directory /etc/ssh/sshd_config.d
and these are supposed to take preference.

This is probably the cleanest way to do it:
just create a file in this directory containing your preferred entries.
I use a clunky old script which I've used 'forever' and does other things.

 

[DominikHoffmann]

/etc/ssh/sshd_config includes a line
Include /etc/ssh/sshd_config.d/*
(see the comments in /etc/ssh/sshd_config)
which means include all files under the directory /etc/ssh/sshd_config.d
and these are supposed to take preference.

This is probably the cleanest way to do it:
just create a file in this directory containing your preferred entries.
I use a clunky old script which I've used 'forever' and does other things.

Besides the three lines I mentioned in the original post, do you make other modification to your sshd_conf file related to only allowing key-based authentication?

 

[fivenotrump]

Besides the three lines I mentioned in the original post, do you make other modification to your sshd_conf file related to only allowing key-based authentication?

Besides the three lines I mentioned in the original post, do you make other modification to your sshd_conf file related to only allowing key-based authentication?

no, I don't think so

BTW: ChallengeResponseAuthentication is now KbdInteractiveAuthentication
(see OpenSSH 8.7 release notes)
and
% sudo sshd -T
shows the current config