≡ Menu

How to disable ssh password login on Linux to increase security

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?

First, you need to setup a normal user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users include root. In this guide, shows you how to generate an ssh key and disable password authentication on the Linux or Unix-based system.
How to Disable Password Authentication for SSH

For demo purpose I am using a Ubuntu Linux here.

Step 1 – Login to the remote server

Use the ssh command or client such as Putty:
$ ssh root@server-ip-here
$ ssh root@server1.cyberciti.biz

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password:
# passwd vivek
Sample outputs:

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) or wheel (RHEL/CentOS) supplementary/secondary group:
# usermod -aG sudo vivek
OR for RHEL/CentOS Linux:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it:
# su - vivek
$ id vivek

Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)

Exit a login shell:
$ logout

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vivek@ln.cbzc01's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'vivek@server1.cyberciti.biz'"
and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:
$ ssh vivek@server1.cyberciti.biz
Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

vivek@ubuntu:~$ 

To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Find PasswordAuthentication set to no

PasswordAuthentication no

Find UsePAM and set to no:

UsePAM no

Find PermitRootLogin and set to no:

PermitRootLogin no

Save and close the file. Reload the ssh server:
# /etc/init.d/ssh reload
OR
$ sudo systemctl reload ssh
OR Use the following on RHEL/CentOS Linux
# /etc/init.d/sshd reload

Step 5 – Verification

Try to login as root:
$ ssh root@server1.cyberciti.biz
Permission denied (publickey).

Try to login with password only:
$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no
Permission denied (publickey).

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password.

Share this tutorial on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 4 comments… add one }
  • d3rrila February 17, 2017, 8:21 pm

    Why are you also disabling PAM?
    Does PAM somehow enable a workaround for this, or is it less secure with PAM on?

  • andrej February 18, 2017, 7:51 am

    why do you consider ssh root login unsafe?

    • E_Cooking February 18, 2017, 10:41 am

      The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:

      ssh root@$Your-IP-Here

      Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.

      Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.

  • E_Cooking February 18, 2017, 10:37 am

    I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:

    PermitRootLogin prohibit-password

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , , ,