Why Your SSH Hardening Changes Aren't Working on BinaryLane

The Problem

You've added SSH keys, edited /etc/ssh/sshd_config to disable password authentication, restarted SSH — and you think you're secure. But password authentication is still enabled.

Your changes are being silently overridden.

BinaryLane uses a drop-in configuration file at /etc/ssh/sshd_config.d/10-binarylane.conf to manage security-critical SSH settings. Drop-in files in sshd_config.d/ take precedence over settings in the main sshd_config — so any changes you make directly to sshd_config for options that also appear in 10-binarylane.conf will have no effect.

How to Check If You're Affected

Run this command to see your effective SSH configuration:

sshd -T | grep passwordauthentication

If this shows passwordauthentication yes after you've tried to disable it in sshd_config, you're affected.

You can also check what BinaryLane's drop-in file is setting:

cat /etc/ssh/sshd_config.d/10-binarylane.conf

How to Fix It

? Recommendation: Option 1 is the preferred method as it survives server rebuilds and restores.

Option 1: Create your own drop-in file (Recommended)

Create a custom drop-in config with a lower number than BinaryLane's (lower = loaded first = first match wins):

sudo nano /etc/ssh/sshd_config.d/01-custom.conf

Add your desired settings:

PasswordAuthentication no
PermitRootLogin prohibit-password
X11Forwarding no

Then restart SSH:

sudo systemctl restart sshd
✅ Why this works: Files in sshd_config.d/ are loaded in alphabetical order and the first match wins. 01-custom.conf loads before 10-binarylane.conf, so your settings take priority. This file won't be touched by BinaryLane's provisioning or system updates.

Option 2: Edit the BinaryLane config directly

sudo nano /etc/ssh/sshd_config.d/10-binarylane.conf

Modify the settings there and restart SSH:

sudo systemctl restart sshd
⚠️ Warning: This file may be overwritten if you rebuild or restore your server from a backup. You would need to re-apply your changes after any rebuild.

Verify Your Changes

Always confirm your changes are actually effective after making them:

sshd -T | grep -E 'passwordauthentication|permitrootlogin|x11forwarding'

Expected output if hardening is applied correctly:

passwordauthentication no
permitrootlogin prohibit-password
x11forwarding no

Why It Works This Way

OpenSSH loads sshd_config.d/*.conf files in alphabetical order, and the first match wins — once a setting is seen, later files cannot override it. BinaryLane uses this mechanism to configure security defaults based on how your server was provisioned (with SSH keys vs password). That's why your drop-in file needs a lower number than 10-binarylane.conf to take priority.

ℹ️ How drop-in priority works:
01-custom.conf → loaded first (your overrides win)
10-binarylane.conf → loaded second (settings already set are ignored)

Avoid the Problem Entirely

When creating a new BinaryLane server, provision with SSH keys only and no password. This automatically sets PasswordAuthentication no in the BinaryLane config — no manual hardening needed.

You can add SSH keys to your account under Account → SSH Keys in the BinaryLane panel, then select them during server creation.

Key Takeaway

? Important: Never edit /etc/ssh/sshd_config directly on BinaryLane servers. Always use a drop-in file in /etc/ssh/sshd_config.d/ or edit 10-binarylane.conf directly. Always verify with sshd -T that your changes are effective.