How to disable ssh password login on Linux to increase security

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?

This page explains how to disable ssh password login on Linux permanently and only use ssh keys for login. So, first, you need to set up a regular non-privileged user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users, including root. This page explains to you how to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo purposes, I am using a Ubuntu Linux here, but it should work with other Linux distros such as CentOS/RHEL/Fedora/Debian and so on.

Tutorial details
Difficulty	Easy (rss)
Root privileges	Yes
Requirements	Linux or Unix with OpenSSH
Time	2m

Step 1 – Login to the remote server

Use the ssh command or client such as Putty:
$ ssh root@server-ip-here
$ ssh root@server1.cyberciti.biz

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password using the passwd command:
# passwd vivek
Sample outputs:

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) group. If you are using a CentOS/RHEL/Fedora Linux add users to wheel supplementary/secondary group:
# usermod -aG sudo vivek
RHEL/CentOS Linux users, type:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it using the id command:
# su - vivek
$ id vivek
Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)

Exit a login shell:
$ logout

Please note that you can add existing users to sudo or wheel group too. No need to create a new user account:
# usermod -aG sudo userNameHere #Debian/Ubuntu
# usermod -aG wheel userNameHere #CentOS/RHEL

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz
Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vivek@ln.cbzc01's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'vivek@server1.cyberciti.biz'"
and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:
$ ssh vivek@server1.cyberciti.biz
Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

vivek@ubuntu:~$ 

To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

We need to log in into server using newly created user named vivek:
ssh vivek@server-ip-here
ssh vivek@server1.cyberciti.biz
Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Next, find PasswordAuthentication set to no too:

PasswordAuthentication no

Search for UsePAM and set to no, too:

UsePAM no

Finally look for PermitRootLogin and set it to no too:

PermitRootLogin no
PermitRootLogin prohibit-password

Save and close the file. Reload or restart the ssh server on Linux:
# /etc/init.d/ssh reload
We can use the systemctl command for systemd based Linux distros:
$ sudo systemctl reload ssh
One can use the following on RHEL/CentOS Linux:
# /etc/init.d/sshd reload
Again for systemd based distro such as CentOS/RHEL 7.x or the latest version of Fedora, try the following commands to restart (reload) sshd:
$ sudo systemctl reload sshd

Step 5 – Verification

Try to login as root:
$ ssh root@server1.cyberciti.biz
Permission denied (publickey).
Try to login with password only:
$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no
Permission denied (publickey).

Conclusion

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password. See “Top 20 OpenSSH Server Best Security Practices” for more info.

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04