How to Disable SSH Password authentication on Linux

In this tutorial we will take a look at how we can disable SSH password authentication on a Linux VPS and setup SSH key-based authentication as this is considered a good security practice.We tested this tutorial on an Ubuntu 16.04 VPS, although it should work with any distribution of your choice as well.

1. Log in to your VPS

Let’s start by logging in to your Linux VPS using the ssh command:

# ssh root@your-server-ip

2. Create a new user account

Best practice would be to create a new user account so if somebody gets their hands on your key and uses your key to log in to this account they will still have to type in a password to get root permissions.

First make sure sudo is installed, for Debian/Ubuntu based distributions type:

# apt-get update
# apt-get install -y sudo

For CentOS/RHEL based distributions type:

# yum install -y sudo

For Debian/Ubuntu use the following command to create a new user and add it to the sudo group:

# useradd -m -s /bin/bash -G sudo linuxcloudvps

For CentOS/RHEL you need to add the user in the wheel group, enter this command instead of the command above:

# useradd -m -s /bin/bash -G wheel linuxcloudvps

Now set a password for the user we just created:

# passwd linuxcloudvps

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

3. Create and copy the SSH keys

This command must be executed on your local machine and will ask you for a passphrase, if you enter a passphrase for your key you will be asked for the passphrase on every SSH session you make to your VPS, let’s generate the key:

# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/linuxcloudvps/.ssh/id_rsa):
Created directory '/home/linuxcloudvps/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/linuxcloudvps/.ssh/id_rsa.
Your public key has been saved in /home/linuxcloudvps/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:MYLCbBV380UpUoexHNn1cMOtHomLK4zk8T+9BJU/pyM linuxcloudvps@your-server-hostname
The key's randomart image is:
+---[RSA 2048]----+
|    o.. o.+*+o+.o|
| o . o ..++=o. =o|
|  = . . o.+.o. o.|
| . .   . o ...+  |
|        S .. oo..|
|      o   ... .+ |
|     o =   oE o  |
|      o + o... . |
|         o....   |
+----[SHA256]-----+

Now copy the key to your Linux VPS:

# ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcloudvps@your-server-ip

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/linuxcloudvps/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
linuxcloudvps@your-server-ip's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'linuxcloudvps@your-server-ip'"
and check to make sure that only the key(s) you wanted were added.

Try to login with the key and see if the key-based authentication works now:

# ssh linuxcloudvps@your-server-ip

You should see the welcoming message of your chosen distribution, in our case that’s Ubuntu 16.04:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 2.6.32-042stab120.11 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

linuxcloudvps@your-server-hostname:~$

Test if you can obtain root permissions by entering the following command:

# sudo su

Sudo will ask for a password, enter the password you set above for the linuxcloudvps user.
If everything goes well you can proceed to the next step.

4. Disable SSH password authentication and root login

Now we will edit the file “/etc/ssh/sshd_config” to disable SSH password and root login:

nano /etc/ssh/sshd_config

Find and change the following settings to no:

PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Save and exit the file, reload the configuration of the SSH server with the following command:

# service sshd reload

5. Verification

Now test to see if you disabled root login successfully:

# ssh root@your-server-ip
Permission denied (publickey).

And then test if you have disabled SSH password authentication successfully:

# ssh linuxcloudvps@your-server-ip
Permission denied (publickey).

That’s it, now you’ve successfully disabled SSH password authentication and enabled SSH key-based authentication on your Linux VPS. Your Linux server will only accept key based login, including the root user.

 

Disabling SSH password authentication on a Linux VPS is an easy task if you have a VPS Hosting with us. Feel free to ask our expert Linux Administrators to help you disable SSH password authentication on your Linux server for you, and it will be taken care of immediately. They are available 24×7, so you can get the help you need at any time.

PS. Feel free to share this blog post if you liked it by using the social network shortcuts – you can also leave a comment instead in the comment section under the share buttons.