SSHD Password control settings on MacOS
Table of Contents
The relevant settings are
UsePAMPasswordAuthenticationKbdInteractiveAuthentication.
These settings interact in a weird way. Turning UsePAM disables password
login but the two other settings influence how password login fails.
With UsePAM on, password login works unless both of the other options are off.
In which case it fails by asking for a password which is never accepted.
1. Config file changes
/etc/ssh/sshd_config.d/100-macos.conf
diff --git a/etc/ssh/sshd_config.d/100-macos.conf b/etc/ssh/sshd_config.d/100-macos.conf index 219d6a7..9bcd557 100644 --- a/etc/ssh/sshd_config/100-macos.conf +++ b/etc/ssh/sshd_config/100-macos.conf @@ -1,4 +1,4 @@ # Options set by macOS that differ from the OpenSSH defaults. -UsePAM yes +# UsePAM yes AcceptEnv LANG LC_* Subsystem sftp /usr/libexec/sftp-server
/etc/ssh/sshd_config
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 2b606d5..c193261 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -61,11 +61,11 @@ AuthorizedKeysFile .ssh/authorized_keys #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -# PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -# KbdInteractiveAuthentication yes +KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no
2. Behavior based on settings
| UsePam(n) | PA(y) | KI(y) | Succes | Result | prompt |
|---|---|---|---|---|---|
| yes | yes | yes | yes | password: | |
| yes | yes | no | yes | U@H's password: | |
| yes | no | yes | yes | password: | |
| yes | no | no | no | PD (pk) | |
| no | yes | yes | no | Ask->fail | |
| no | yes | no | no | Ask->fail | U@H's password: |
| no | no | yes | no | PD (pk,ki) | |
| no | no | no | no | PD (pk) |
The above table is kept narrow using the following abbreviations
| Abbreviation | Meaning |
|---|---|
| PK(y) | PasswordAuthentication default yes |
| KI(y) | KbdInteractiveAuthentication default yes |
| Ask->fail | Asks for password, doesn't work |
| PD (pk) | Permission denied (publickey) |
| PD (pk,ki) | Permission denied (publickey,keyboard-interactive) |
| U@H's password | $USER@$HOST's password |