Good - Editing the config file

SSH provides for remote login authentication through several methods. The most common are password authentication and public / private key authentication through the authorized_keys file. Read more about SSH key-based authentication on FreeBSD.

Disabling password authentication over SSH provides a more secure environment less susceptible to the constant password attacks occuring on any given network. By default, password authentication is enabled in FreeBSD but it is simple to disable by making a change to the /etc/sshd_config file and restarting the ssh daemon: service sshd restart.

diff /etc/ssh/sshd_config.orig /etc/ssh/sshd_config
65c65
< #KbdInteractiveAuthentication yes
---
> KbdInteractiveAuthentication no

This was sufficent until recently on FreeBSD when the freebsd-update program started complaining about changes that were made to the /etc/sshd_config file:

# freebsd-update fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 13.2-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 28 patches.....10....20.... done.
Applying patches... done.
The following files are affected by updates. No changes have
been downloaded, however, because the files have been modified
locally:
/etc/ssh/sshd_config

Better - Setting startup flags

To ease the upgrade procedure, it is possible to disable password authentication via a server command line argument using the -o (option) flag instead of editing the sshd_config file directly. In the /etc/rc.conf file, simply set the ssh_flags to disable password authentication. In this way, the original config file does not need to be changed and upgrades will take place smoothly.

sshd_enable="YES"
sshd_flags="-o KbdInteractiveAuthentication=no"

Testing

Now you're ready to test your server to make sure password authentication is disabled. Use the following command to tell your local ssh client not use key-based authentication prefering password-based authentication. Your client should give up when trying to authenticate to your server since password authentication is now disabled:

ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password user@example.com
user@example.com: Permission denied (publickey).