How to Disable SSH Login With Password
One of the basic SSH hardening step is to disable password based SSH login. This reduces the risk of a brute force attack on your Linux server.
One of the basic SSH hardening step is to disable password based SSH login.
You know that you can use ssh with the root or other account’s password to login remotely into a Linux server.
But this poses a security risk because a huge numbers of bots are always trying to login to your system with random passwords. This is called brute force attack.
You don’t believe me? You can check the logins on your Linux server. You’ll be surprised to see so many failed attempts on your server.
root@myserver:~# lastb | tail
root ssh:notty 49.235.87.213 Wed Apr 1 06:25 - 06:25 (00:00)
root ssh:notty 95.128.137.176 Wed Apr 1 06:25 - 06:25 (00:00)
aw ssh:notty 36.108.175.68 Wed Apr 1 06:25 - 06:25 (00:00)
aw ssh:notty 36.108.175.68 Wed Apr 1 06:25 - 06:25 (00:00)
fx ssh:notty 113.88.164.53 Wed Apr 1 06:25 - 06:25 (00:00)
fx ssh:notty 113.88.164.53 Wed Apr 1 06:25 - 06:25 (00:00)
root ssh:notty 112.215.113.10 Wed Apr 1 06:25 - 06:25 (00:00)
root ssh:notty 152.32.173.74 Wed Apr 1 06:25 - 06:25 (00:00)
This is why you should use a strong password. The proper way to deal with them is to use a tool like fail2ban. Another way is to disable password based authentication so that no one can connect via login password.
In this way, only those systems that have their public ssh keys added to the server (called key-based authentication) will be able to connect to server. Read about setting up ssh configuration.
Disable SSH password authentication
Before you do that, you must keep the following things in mind:
- Make sure to create your ssh key-pair on your personal/work computer and add this public SSH key to the server so that at least you can login to the server.
- Disabling password based authentication means you cannot ssh into your server from random computers.
- You must not lose your ssh keys. If you format your personal computer and lose the ssh keys, you’ll never be able to access the server.
- If you are locked out, you will not be able to access your server ever.
Some cloud server providers like Linode and UpCloud provide VNC console that could still help you.
Only disable password based SSH authentication if you are familiar with SSH and other sysadmin concepts. You should also know how to use a terminal based text editor like Vim or Nano.
Okay. So now you know the risks associated with disabling SSH logins via password. Let’s see how to do it.
Login as root to your Linux server using key based authentication. Use an editor like Nano or Vim to edit the following file:
/etc/ssh/sshd_config
Find the following line:
PasswordAuthentication yes
And change it to:
PasswordAuthentication no
If there is a # (means commented out) at the beginning of that line, remove it.
Save the file after making these changes and restart the SSH service using this command:
systemctl restart ssh
That’s it. You have successfully disabled password based authentication in SSH.
Questions and suggestions are always welcome.
Creator of Linux Handbook and It's FOSS. An ardent Linux user & open source promoter. Huge fan of classic detective mysteries from Agatha Christie and Sherlock Holmes to Columbo & Ellery Queen.