Disable login prompt through SSH when no key is present

Question

I've set OpenSSH server with private/public keys, with password login disabled.

I was wondering if there was a way to not even show the 'login:' prompt when someone without a key tries to connect.

EDIT

Okay ... There seems to be some confusion as to what I'm trying to achieve. So, here's a better explanation (I hope) ...

Current setup

Client with key connects, and goes through the process:

login as: username
BANNER
Authenticating with public key "Key name"
Passphrase for key "key name": *******
Welcome
username@hostname:~$

Client without key connects, and goes through process:

login as: username
BANNER
Server refused our key

What I want

client without key connects, and goes through process:

No key, go away.

See http://stackoverflow.com/questions/20898384/ssh-disable-password-authentication — Panther, Sep 01 '14 at 22:26
The keys on the server side are typically stored in ~/.ssh, i.e. a user-specific directory, so it makes sense that you would always have to provide a username one way or another; it has to know which keys to compare. If you have the same username on each machine then SSH without a username assumes the one you are connecting to is the username on your local machine. — adamconkey, Sep 02 '14 at 15:49
How will the Server know which key to try if you have not identified a user? SSH won't run through every key on file in the hope that something fits. That would all kinds of problems. The simplest way to avoid the login prompt is to include the username in the ssh connection command: ssh homerjsimpson@servername.org — user535733, Oct 19 '20 at 23:43

score 5 · Answer 1 · edited Oct 19 '20 at 23:18

5

On the server side, edit /etc/ssh/sshd_config so that you have the line:

PasswordAuthentication no

then restart the server:

sudo service sshd restart

That will remove the ability to authenticate without a key.

However, you will always have to identify yourself, so you can't remove the login prompt.

If you use ssh username@hostname to connect, you'll never see it, but others will if they connect to the hostname with no username.

You can limit access to only your username with a key if you add to the above:

AllowUsers username

For this and other things, see the Ubuntu wiki page for SSH.

edited Oct 19 '20 at 23:18

Jacta

answered Sep 01 '14 at 21:51

wxl

Erm ... Yeah I've already done that ... But doesn't change the normal behavior of showing the 'login:' prompt when someone connects to the server. – Just Lucky Really Sep 01 '14 at 21:55
Without a key, it should give: Permission denied (publickey). – wxl Sep 01 '14 at 22:43
It still shows the 'login as:' prompt – Just Lucky Really Sep 01 '14 at 22:46
Edited to provide a more authoritative answer. Sorry for the misunderstanding and thanks for the clarification. – wxl Sep 01 '14 at 22:52
Yeah, what I'm trying to achieve, is when clients connect to the hostname, that the 'login as:' prompt is disabled (Without a key) ... So this answer still doesn't work – Just Lucky Really Sep 01 '14 at 23:09
What I'm saying is there is no way to do what you want. You will always need to identify yourself. Unless you edit the OpenSSH server code :-) – wxl Sep 01 '14 at 23:11
2

Well that's a kick in the nuts – Just Lucky Really Sep 01 '14 at 23:17
Yeah not every question can be answered with a likable answer :-) – wxl Sep 01 '14 at 23:29
sudo service ssh restart no ? – Jean-Luc Barat Jul 10 '16 at 20:57
@Jean-LucBarat same difference, actually. – wxl Nov 07 '17 at 05:41

1 Answers1