-
-
Notifications
You must be signed in to change notification settings - Fork 768
Disable SSH Password Authentication
Disabling SSH password authentication is a good practice for enhancing security, especially on a public-facing server. Here is a step-by-step tutorial on how to disable SSH password authentication. This guide assumes you are using a Linux-based system.
Before you disable password authentication, make sure you have key-based authentication configured and working. If you disable password authentication without having an alternative way to log in, you could lock yourself out of the server.
-
Generate an SSH Key Pair (if you haven't already):
ssh-keygen -t rsa -b 4096
Press Enter to accept the default file location. Optionally, you can set a passphrase for additional security.
-
Copy the Public Key to Your Server:
-
Windows:
cat $HOME\.ssh\id_rsa.pub | ssh username@your_server_ip 'cat >> ~/.ssh/authorized_keys'
-
Linux & Mac:
ssh-copy-id username@your_server_ip
Replace
username
with your actual username andyour_server_ip
with your server's IP address.
-
Test Key-Based Login: Try to log in using your SSH key.
If you can log in without being prompted for a password, key-based authentication is working.
ssh username@your_server_ip
-
Access the SSH Configuration File:
sudo nano /etc/ssh/sshd_config
You can replace
nano
with your preferred text editor (likevi
orvim
). -
Find the Line for Password Authentication: Look for a line that says
PasswordAuthentication
. It might be commented out (starting with#
). -
Disable Password Authentication: Change this line to
PasswordAuthentication no
If the line is not there, you can add it at the end of the file.
-
Save and Exit the Editor: If you are using
nano
, you can save by pressingCtrl + O
and exit by pressingCtrl + X
.
After making changes to the sshd_config
file, you need to restart the SSH service for the changes to take effect.
sudo systemctl restart sshd
-
Test SSH Access: Try to log in via SSH again. This time, the server should not allow password authentication.
ssh username@your_server_ip
Ensure that you can still log in using key-based authentication.
-
Optional - Test from Another Machine: If possible, try to SSH from a different machine where your SSH key is not configured. The server should not allow you to log in using a password.
- Consider changing the SSH port from the default (port 22) to a non-standard port to reduce the chance of automated attacks. read more ...
- Regularly update your server and SSH software.
- Set up a firewall and limit access to necessary ports only. read more ...
- Monitor login attempts and set up intrusion detection systems.
By following these steps, you should have successfully disabled SSH password authentication, enhancing the security of your server. Just ensure you have a backup method (like key-based authentication) set up to avoid being locked out.