~~NOTOC~~

====== Accelerator Guide: Disable Password Authentication for SSH Logins ======

This guide will explain the quick and easy procedure for disabling keyboard/password authentication for ''ssh'' on your Accelerator. Some people prefer to use public key authentication instead of just a password, so it is harder to compromise your account. If you use a key pair that requires its own passphrase, your account will be protected against unauthorized access even if the computer you store the private key on is compromised or stolen.\\

<note warning>Disabling password authentication without having a **working** public key setup will **//LOCK YOU OUT//** of your container.\\ \\ Before following this guide, verify your public key-based login works and your local ''.ssh'' directory is backed up.</note>

===== Preflight Checklist =====
  - This guide assumes no other changes to the ssh configuration has been made (specifically, it assumes no one has disabled public key based authentication, which is enabled by default).
  - **You should be able to login using your public/private ssh key pair.\\ See [[all-accelerators:kb:ssh:generate-keys|Generating SSH Keys]] in the [[all-accelerators:kb:ssh:start|SSH Guide]] for more information on setting this up.\\ Do NOT proceed without making sure this works.**

===== The Steps =====
  * Login to your Accelerator as admin. 
  * Type: **sudo nano /etc/ssh/sshd_config** and enter your ''admin'' password.
  * Make the following changes

^Look for                       ^Change to                         ^//Find around// ^
|PasswordAuthentication yes     |**PasswordAuthentication no**     | //line 119//   |
|PAMAuthenticationViaKBDInt yes |**PAMAuthenticationViaKBDInt no** | //line 126//   |

  * Press Ctrl-X, type **Y**, press Enter to save these changes.
  * Type **sudo svcadm refresh svc:/network/ssh:default** to make sshd pickup your changes.
  * All done.

===== Explanation ======
  * The above steps edit the configuration file for the ssh daemon running on your Accelerator.
  * We changed it so that it does not permit what is called "Keyboard Interactive" authentication.
  * The **PAMAuthenticationViaKBDInt yes** must change, as it will override the **PasswordAuthentication no** directive.
  * Finally, the changes are saved and we use the built-in Solaris facility (SMF) to have the ssh daemon reread the configuration to pickup the changes.