Support Center

JumpCloud sshd configuration

For Linux systems, JumpCloud writes to /etc/ssh/sshd_config in order to manage the sshd configuration. If exceptions are needed it's recommended to use the conditional Match block. Anything within a Match block will be ignored by the JumpCloud agent. See Using the Match block in sshd_config for examples.

The following is a list of the possible settings, the corresponding changes to sshd_config, and the expected behavior. 

SSH Password Login



Expected Behavior: Users will authenticate with password only

/etc/ssh/sshd_config:
ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication no
PermitRootLogin no
PasswordAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Public Key Authentication



Expected Behavior: Users will authenticate with publickey only

/etc/ssh/sshd_config:
​​ChallengeResponseAuthentication no
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no​

SSH Password Login + Public Key Authentication



Expected Behavior: Users can authenticate with password OR publickey 

/etc/ssh/sshd_config:
​​ChallengeResponseAuthentication no
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication yes​

SSH Password Login +  Multifactor Authentication



Expected Behavior: Users will authenticate with password and TOTP token (when the TOTP Key is activated)

/etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
UsePAM yes
PubkeyAuthentication no
PermitRootLogin no
PasswordAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Public Key Authentication + Multifactor Authentication



Expected Behavior:  Users will authenticate with publickey and TOTP token (when the TOTP Key is activated)

/etc/ssh/sshd_config:
​​ChallengeResponseAuthentication yes
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
 

Last Updated: Sep 19, 2018 03:48PM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete