How to disable ssh password login on Linux to increase security

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?

This page explains how to disable ssh password login on Linux permanently and only use ssh keys for login. So, first, you need to set up a regular non-privileged user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users, including root. This page explains to you how to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo purposes, I am using a Ubuntu Linux here, but it should work with other Linux distros such as CentOS/RHEL/Fedora/Debian and so on.

ADVERTISEMENTS

Step 1 – Login to the remote server

Use the ssh command or client such as Putty:
$ ssh root@server-ip-here
$ ssh root@server1.cyberciti.biz

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password using the passwd command:
# passwd vivek
Sample outputs:

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) group. If you are using a CentOS/RHEL/Fedora Linux add users to wheel supplementary/secondary group:
# usermod -aG sudo vivek
RHEL/CentOS Linux users, type:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it using the id command:
# su - vivek
$ id vivek

Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)

Exit a login shell:
$ logout
How to disable ssh password login/authentication for SSH
Please note that you can add existing users to sudo or wheel group too. No need to create a new user account:
# usermod -aG sudo userNameHere #Debian/Ubuntu
# usermod -aG wheel userNameHere #CentOS/RHEL

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vivek@ln.cbzc01's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'vivek@server1.cyberciti.biz'"
and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:
$ ssh vivek@server1.cyberciti.biz
Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

vivek@ubuntu:~$ 

To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

We need to log in into server using newly created user named vivek:
ssh vivek@server-ip-here
ssh vivek@server1.cyberciti.biz

Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Next, find PasswordAuthentication set to no too:

PasswordAuthentication no

Search for UsePAM and set to no, too:

UsePAM no

Finally look for PermitRootLogin and set to no too:

PermitRootLogin no

Save and close the file. Reload or restart the ssh server on Linux:
# /etc/init.d/ssh reload
We can use the systemctl command for systemd based Linux distros:
$ sudo systemctl reload ssh
One can use the following on RHEL/CentOS Linux:
# /etc/init.d/sshd reload
Again for systemd based distro such as CentOS/RHEL 7.x or the latest version of Fedora, try:
$ sudo systemctl reload sshd

Step 5 – Verification

Try to login as root:
$ ssh root@server1.cyberciti.biz
Permission denied (publickey).

Try to login with password only:
$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no
Permission denied (publickey).

Conclusion

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password. See “Top 20 OpenSSH Server Best Security Practices” for more info.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • d3rrila Feb 17, 2017 @ 20:21

    Why are you also disabling PAM?
    Does PAM somehow enable a workaround for this, or is it less secure with PAM on?

  • andrej Feb 18, 2017 @ 7:51

    why do you consider ssh root login unsafe?

    • E_Cooking Feb 18, 2017 @ 10:41

      The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:

      ssh root@$Your-IP-Here

      Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.

      Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.

  • E_Cooking Feb 18, 2017 @ 10:37

    I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:

    PermitRootLogin prohibit-password

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.