How to disable ssh password login on Linux to increase security

ADVERTISEMENTS



Step 1 – Login to the remote server

I want to disable ssh clients from accessing using the password and only allow ssh login using SSH keys. How do I disable password authentication for SSH on Linux operating systems?This page explains how to disable ssh password login on Linux permanently and only use ssh keys for login. So, first, you need to set up a regular non-privileged user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users, including root. This page. For demo purposes, I am using a Ubuntu Linux here, but it should work with other Linux distros such as CentOS/RHEL/Fedora/Debian and so on.

Use the ssh command or client such as Putty:

$ ssh root@server-ip-here

$ ssh root@server1.cyberciti.biz

Step 2 – Create a new user account

Type the following command on Linux based system to create a new user named vivek:

# useradd -m -s /bin/bash vivek

Set the user’s password using the passwd command:

# passwd vivek

Sample outputs:

Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully

Add user to sudo (Ubuntu/Debian) group. If you are using a CentOS/RHEL/Fedora Linux add users to wheel supplementary/secondary group:

# usermod -aG sudo vivek

RHEL/CentOS Linux users, type:

# usermod -aG wheel vivek

The above command allows people in group wheel or sudo to run all commands. Verify it using the id command:

# su - vivek

$ id vivek

Sample outputs:

uid=1000(vivek) gid=1000(vivek) groups=1000(vivek),27( sudo )

Exit a login shell:

$ logout



Please note that you can add existing users to sudo or wheel group too. No need to create a new user account:

# usermod -aG sudo userNameHere #Debian/Ubuntu

# usermod -aG wheel userNameHere #CentOS/RHEL

Step 3 – Install ssh keys on a remote machine

All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:

$ ssh-keygen -t rsa

Install the public key in remote server:

$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub vivek@server1.cyberciti.biz

Sample outputs:

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/vivek/.ssh/id_rsa.pub" /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys vivek@ln.cbzc01's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'vivek@server1.cyberciti.biz'" and check to make sure that only the key(s) you wanted were added.

Test ssh keybase login:

$ ssh vivek@server1.cyberciti.biz

Sample outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. vivek@ubuntu:~$

To run a command as administrator (user “root”), use “sudo {command}”. For example:

$ sudo ls /root/

To gain root shell, enter:

$ sudo -s

See How To Setup SSH Keys on a Linux / Unix System for more information.

Step 4 – Disable root login and password based login

We need to log in into server using newly created user named vivek:

ssh vivek@server-ip-here

ssh vivek@server1.cyberciti.biz

Edit the /etc/ssh/sshd_config file, enter:

$ sudo vi /etc/ssh/sshd_config

Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Next, find PasswordAuthentication set to no too:

PasswordAuthentication no

Search for UsePAM and set to no, too:

UsePAM no

Finally look for PermitRootLogin and set to no too:

PermitRootLogin no

Save and close the file. Reload or restart the ssh server on Linux:

# /etc/init.d/ssh reload

We can use the systemctl command for systemd based Linux distros:

$ sudo systemctl reload ssh

One can use the following on RHEL/CentOS Linux:

# /etc/init.d/sshd reload

Again for systemd based distro such as CentOS/RHEL 7.x or the latest version of Fedora, try:

$ sudo systemctl reload sshd

Step 5 – Verification

Try to login as root:

$ ssh root@server1.cyberciti.biz

Permission denied (publickey).

Try to login with password only:

$ ssh vivek@server1.cyberciti.biz -o PubkeyAuthentication=no

Permission denied (publickey).

Conclusion

And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password. See “Top 20 OpenSSH Server Best Security Practices” for more info.