How to disable ssh password login on Linux to increase security

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?

First, you need to setup a normal user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users include root. In this guide, shows you how to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo purpose I am using a Ubuntu Linux here.

Step 1 – Login to the remote server

Use the ssh command or client such as Putty:
$ ssh root@server-ip-here $ ssh root@server1.cyberciti.biz

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password:
# passwd vivek
Sample outputs:

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) or wheel (RHEL/CentOS) supplementary/secondary group:
# usermod -aG sudo vivek
OR for RHEL/CentOS Linux:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it:
# su - vivek $ id vivek
Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)

Exit a login shell:
$ logout
How to disable ssh password login/authentication for SSH
Please note that you can add existing users to sudo or wheel group too. No need to create a new user account:
# usermod -aG sudo userNameHere #Debian/Ubuntu # usermod -aG wheel userNameHere #CentOS/RHEL

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vivek@ln.cbzc01's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'vivek@server1.cyberciti.biz'"
and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:
$ ssh vivek@server1.cyberciti.biz
Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

vivek@ubuntu:~$

To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Find PasswordAuthentication set to no

PasswordAuthentication no

Find UsePAM and set to no:

UsePAM no

Find PermitRootLogin and set to no:

PermitRootLogin no

Save and close the file. Reload the ssh server:
# /etc/init.d/ssh reload
OR
$ sudo systemctl reload ssh
OR Use the following on RHEL/CentOS Linux
# /etc/init.d/sshd reload

Step 5 – Verification

Try to login as root:
$ ssh root@server1.cyberciti.biz Permission denied (publickey).
Try to login with password only:
$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no Permission denied (publickey).

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

11 comment

Why are you also disabling PAM?
Does PAM somehow enable a workaround for this, or is it less secure with PAM on?

why do you consider ssh root login unsafe?

E_Cooking says:

February 18, 2017 at 10:41 am
The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:
```
ssh root@$Your-IP-Here
```
Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.

Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.

I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:

PermitRootLogin prohibit-password

Notable Replies

Robert_Logan says:

set : PasswordAuthentication no

in: /etc/ssh/sshd_config

restart the ssh deamon
nixcraft says:
patrickr:

Why was it necessary to create a new user? Could I have just used an existing user?

Yes, you can use existing user too. Say add user tom to sudo, run:
```
sudo usermod -aG sudo tom
```
I will update the page soon. Thanks for the feedback.
nixcraft says:

You just upload/copy your ssh key. That is all. Rest of the users will enter password but you can login using ssh.
nixcraft says:
Did you installed key using the ssh-copy-id command for your remote server?
```
ssh-copy-id -i /path/to/rsaForPythonScript.pub user@server
```
You need to specify rsaForPythonScript for login:
```
ssh -i /path/to/rsaForPythonScript.pub user@server
```
Add the -v to see why key is not accepted:
```
ssh -v -i /path/to/rsaForPythonScript.pub user@server
```

Continue the discussion www.nixcraft.com

3 more replies

Participants

d3rrila says:

February 17, 2017 at 8:21 pm

Why are you also disabling PAM?
Does PAM somehow enable a workaround for this, or is it less secure with PAM on?
andrej says:

February 18, 2017 at 7:51 am

why do you consider ssh root login unsafe?
1. E_Cooking says:
  
  February 18, 2017 at 10:41 am
  The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:
```
ssh root@$Your-IP-Here
```
  Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.
  
  Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.
E_Cooking says:

February 18, 2017 at 10:37 am
I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:
```
PermitRootLogin prohibit-password
```

Still, have a question? Get help on our forum!