How to disable ssh password login on Linux to increase security

Posted on in Categories , , , , , , last updated February 17, 2017

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?

First, you need to setup a normal user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users include root. In this guide, shows you how to generate an ssh key and disable password authentication on the Linux or Unix-based system.
How to Disable Password Authentication for SSH

For demo purpose I am using a Ubuntu Linux here.

Step 1 – Login to the remote server

Use the ssh command or client such as Putty:
$ ssh [email protected]
$ ssh [email protected]

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:
# useradd -m -s /bin/bash vivek
Set the user’s password:
# passwd vivek
Sample outputs:

Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) or wheel (RHEL/CentOS) supplementary/secondary group:
# usermod -aG sudo vivek
OR for RHEL/CentOS Linux:
# usermod -aG wheel vivek
The above command allows people in group wheel or sudo to run all commands. Verify it:
# su - vivek
$ id vivek

Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27(sudo)

Exit a login shell:
$ logout

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
$ ssh-keygen -t rsa
Install the public key in remote server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh [email protected]'"
and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:
$ ssh [email protected]
Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

[email protected]:~$ 

To run a command as administrator (user “root”), use “sudo {command}”. For example:
$ sudo ls /root/
To gain root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

Edit the /etc/ssh/sshd_config file, enter:
$ sudo vi /etc/ssh/sshd_config
Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Find PasswordAuthentication set to no

PasswordAuthentication no

Find UsePAM and set to no:

UsePAM no

Find PermitRootLogin and set to no:

PermitRootLogin no

Save and close the file. Reload the ssh server:
# /etc/init.d/ssh reload
OR
$ sudo systemctl reload ssh
OR Use the following on RHEL/CentOS Linux
# /etc/init.d/sshd reload

Step 5 – Verification

Try to login as root:
$ ssh [email protected]
Permission denied (publickey).

Try to login with password only:
$ ssh [email protected] -o PubkeyAuthentication=no
Permission denied (publickey).

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

4 comment

  1. Why are you also disabling PAM?
    Does PAM somehow enable a workaround for this, or is it less secure with PAM on?

    1. The reason to disable passwords is that users choose really poor password. You don’t want easy to guess password for the root user. Second, there are bots out there which try to log in to your computer over SSH. They run something like:

      ssh root@$Your-IP-Here

      Then they try standard dictionary passwords like “123456”, “root” or “password123” and so on. They do this as long as they can, until they find the right password. When the attackers have luck with enough time, and find a password, they would have root access and that would mean your server rooted.

      Now, when you disallow root to log in over SSH, the bot needs first to guess a user name and then the matching password. You are making bots life harder by disabling root login.

  2. I would set PermitRootLogin to prohibit-password so that ssh keys can be used for root login or automation purpose etc:

    PermitRootLogin prohibit-password

Comments are closed.