How to Disable SSH Password Authentication


    or demo purpose I am using a Ubuntu Linux here.

    Step 1 – Login to the remote server

    Use the ssh command or client such as Putty:
    $ ssh root@server-ip-here
    $ ssh

    Step 2 – Create a new user account

    Type the following command on Linux based system to create a new user named vivek:
    # useradd -m -s /bin/bash onehost
    Set the user’s password:
    # passwd onehost
    Sample outputs:

    Enter new UNIX password: 
    Retype new UNIX password: 
    passwd: password updated successfully

    Add user to sudo (Ubuntu/Debian) or wheel (RHEL/CentOS) supplementary/secondary group:
    # usermod -aG sudo onehost
    OR for RHEL/CentOS Linux:
    # usermod -aG wheel vivek
    The above command allows people in group wheel or sudo to run all commands. Verify it:
    # su - onehost
    $ id onehost

    Sample outputs:

    uid=1000(onehost) gid=1000(onehost) groups=1000(onehost),27(sudo)

    Exit a login shell:
    $ logout

    Step 3 – Install ssh keys on a remote machine

    All command must be executed on local system/desktop/macos/freebsd workstation. Create the key pair:
    $ ssh-keygen -t rsa
    Install the public key in remote server:
    $ ssh-copy-id -i $HOME/.ssh/
    Sample outputs:

    /usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/onehost/.ssh/"
    /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    vivek@ln.cbzc01's password: 
    Number of key(s) added:        1
    Now try logging into the machine, with:   "ssh ''"
    and check to make sure that only the key(s) you wanted were added.

    Test ssh keybase login:
    $ ssh
    Sample outputs:

    Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)
     * Documentation:
     * Management:
     * Support:
    To run a command as administrator (user "root"), use "sudo ".
    See "man sudo_root" for details.

    To run a command as administrator (user “root”), use “sudo {command}”. For example:
    $ sudo ls /root/
    To gain root shell, enter:
    $ sudo -s

    Step 4 – Disable root login and password based login

    Edit the /etc/ssh/sshd_config file, enter:
    $ sudo vi /etc/ssh/sshd_config
    Find ChallengeResponseAuthentication and set to no:

    ChallengeResponseAuthentication no

    Find PasswordAuthentication set to no

    PasswordAuthentication no

    Find UsePAM and set to no:

    UsePAM no

    Find PermitRootLogin and set to no:

    PermitRootLogin no

    Save and close the file. Reload the ssh server:
    # /etc/init.d/ssh reload
    $ sudo systemctl reload ssh
    OR Use the following on RHEL/CentOS Linux
    # /etc/init.d/sshd reload

    Step 5 – Verification

    Try to login as root:
    $ ssh
    Permission denied (publickey).

    Try to login with password only:
    $ ssh -o PubkeyAuthentication=no
    Permission denied (publickey).

    And there you have it, password authentication for SSH disabled including root user. Your server will now only accept key based login and the root user can not login with password.

    Was this article helpful?
    0 out of 0 found this helpful


    Powered by Zendesk