1

I have a VPS with Nginx, Ubuntu 24.04 and OpenSSH installed. In my sshd_config I have PasswordAuthentication=no. I recently installed vsftpd and now it turns out that FileZilla connects to the server with password-authentication and without using the SSH-keys. This makes it looks like all the safety measures I took are completely in vain, because when I can, everybody else can connect to my server too using FileZilla. Have I overlooked something? Is there anything I can do to protect the server from connecting FileZilla to the server while not using the SSH-key?

EDIT:

My sshd_config looks like this:

PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
ChallengeResponseAuthentication no
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
johannes
  • 195

1 Answers1

0

You have UsePAM yes, which will read /etc/pam.d/sshd and that one most likely (e.g. via included common_auth) will use password authentication (e.g. pam_unix)

You most probably want to disable PAM and use pubkey auth only, i.e.

UsePAM no
PubkeyAuthentication yes

make sure you're able to ssh into machine using private/public key pair (and not your username/password) first, or you'll be locked out of remote access to that system.

Only when you can ssh into that machine with using username/password, should you try to use SFTP in FileZilla to connect. And watch filezilla console messages for what it is trying and what works and what not.

Alternatively to disabling PAM in sshd, you can leave PAM enabled in sshd, but edit its auth stanzas to not allow sshd to use pam_unix or other username/password authentication methods. (that is harder to do but potentially less disruptive, as it will leave e.g. accounting / session handling as before)

Matija Nalis
  • 1,482
  • 15
  • 21