This page explains how to disable ssh password login on Linux permanently and only use ssh keys for login. So, first, you need to set up a regular non-privileged user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users, including root. This page explains to you how to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo purposes, I am using a Ubuntu Linux here, but it should work with other Linux distros such as CentOS/RHEL/Fedora/Debian and so on.
Tutorial details | |
---|---|
Difficulty | Easy (rss) |
Root privileges | Yes |
Requirements | Linux or Unix with OpenSSH |
Time | 2m |
Step 1 – Login to the remote server
Use the ssh command or client such as Putty:
$ ssh root@server-ip-here
$ ssh root@server1.cyberciti.biz
Step 2 – Create a new user account
Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password using the passwd command:
# passwd vivek
Sample outputs:
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Add user to sudo (Ubuntu/Debian) group. If you are using a CentOS/RHEL/Fedora Linux add users to wheel supplementary/secondary group:
# usermod -aG sudo vivek
RHEL/CentOS Linux users, type:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it using the id command:
# su - vivek
$ id vivek
Sample outputs:
uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)
Exit a login shell:
$ logout
Please note that you can add existing users to sudo or wheel group too. No need to create a new user account:
# usermod -aG sudo userNameHere #Debian/Ubuntu
# usermod -aG wheel userNameHere #CentOS/RHEL
Step 3 – Install ssh keys on a remote machine
All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
Sample outputs:
/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub" /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys vivek@ln.cbzc01's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'vivek@server1.cyberciti.biz'" and check to make sure that only the key(s) you wanted were added.
Test ssh keybase login:
$ ssh vivek@server1.cyberciti.biz
Sample outputs:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. vivek@ubuntu:~$
To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.
Step 4 – Disable root login and password based login
We need to log in into server using newly created user named vivek:
ssh vivek@server-ip-here
ssh vivek@server1.cyberciti.biz
Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:
ChallengeResponseAuthentication no
Next, find PasswordAuthentication set to no too:
PasswordAuthentication no
Search for UsePAM and set to no, too:
UsePAM no
Finally look for PermitRootLogin and set it to no too:
PermitRootLogin no PermitRootLogin prohibit-password
Save and close the file. Reload or restart the ssh server on Linux:
# /etc/init.d/ssh reload
We can use the systemctl command for systemd based Linux distros:
$ sudo systemctl reload ssh
One can use the following on RHEL/CentOS Linux:
# /etc/init.d/sshd reload
Again for systemd based distro such as CentOS/RHEL 7.x or the latest version of Fedora, try the following commands to restart (reload) sshd:
$ sudo systemctl reload sshd
Step 5 – Verification
Try to login as root:
$ ssh root@server1.cyberciti.biz
Permission denied (publickey).
Try to login with password only:
$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no
Permission denied (publickey).
Conclusion
And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password. See “Top 20 OpenSSH Server Best Security Practices” for more info.
🐧 6 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Why are you also disabling PAM?
Does PAM somehow enable a workaround for this, or is it less secure with PAM on?
why do you consider ssh root login unsafe?
The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:
Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.
Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.
I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:
Hi,
Thnaks for your explanations.
You savd me :)
I was look for, how do I force SSH to only allow users with key to log in for our FreeBSD ec2 server? This page helps many for me
おかげさまで助かりました