Disable SSH Password Login
This page explains how to disable ssh password login on Linux permanently and only use ssh keys for login by setting up PasswordAuthentication no option in sshd server config. So, first, you need to set up a regular non-privileged user account. Next, configure SSH keys for login. Once you have SSH Keys configured, you need to disable password login for all users, including root. This page explains to you how to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo purposes, I am using a Ubuntu Linux here, but it should work with other Linux distros such as CentOS/RHEL/Fedora/Debian and so on.
Login to the remote server
Use the ssh command or client such as Putty:
ssh root@server-ip-hereCreate a new user account
Type the following command on Linux based system to create a new user named vivek:
useradd -m -s /bin/bash newuserSet the user’s password using the passwd command:
passwd newuserIt would be a good idea to add the user user to theh sudo group
usermod -aG sudo newuserInstall ssh keys on a remote machine
All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
ssh-keygen -t rsa #older keyOR use the ed25519 type:
ssh-keygen -t ed25519 #Newer keyInstall the public key in remote server using the ssh-copy-id command as follows:
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub neruser@server-ip-hereOR try the rsa key if created:
ssh-copy-id -i $HOME/.ssh/id_rsa.pub newuser@server-ip-hereSample outputs:
/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/newuser/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
newuser@server-ip-here's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'nweruser@server-ip-here'"
and check to make sure that only the key(s) you wanted were added.Test ssh keybase login:
ssh newuser.server-ip-here
Sample outputs:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
nweruser@ubuntu:~$To run a command as administrator (user “root”), use “sudo {command}”. For example:
sudo ls /root/To gain root shell, enter:
sudo -sDisable root login and password based login
We need to log in into server using newly created user named vivek:
ssh newuser@server-ip-hereEdit the /etc/ssh/sshd_config file or create a new file in /etc/ssh/sshd_config.d/ directory, enter:
sudo nano /etc/ssh/sshd_configThe following only works on the latest version of OpenSSH and Linux/Unix variant (you need config directive Include /etc/ssh/sshd_config.d/*.conf line at the end of the /etc/ssh/sshd_config file):$
sudo nano /etc/ssh/sshd_config.d/disable_root_login.confFind/edit/add ChallengeResponseAuthentication and set to no:
ChallengeResponseAuthentication no
Next, find PasswordAuthentication set to no too:
PasswordAuthentication no
Search for UsePAM and set to no, too:
UsePAM no
Finally look for PermitRootLogin and set it to no too:
PermitRootLogin no #PermitRootLogin prohibit-password
Save and close the file.
Reload or restart the ssh server
Command to reload the ssh Server
/etc/init.d/ssh reloadWe can use the systemctl command for systemd based Linux distros:
sudo systemctl reload sshOne can use the following on RHEL/CentOS Linux:
/etc/init.d/sshd reloadAgain for systemd based distro such as CentOS/RHEL 7.x or the latest version of Fedora, try the following commands to restart (reload) sshd:
sudo systemctl reload sshdVerification
Try to login as root:
ssh root@server-ip-here
Permission denied (publickey).Try to login with password only:
$ ssh newuser@server-ip-here -o PubkeyAuthentication=no
Permission denied (publickey).