Linux: Disabling Password Authentication
Once you have confirmed that you have SSH key access to a Linux host (using SSH without a password), it is safe to disable password-based authentication.
WARNING: This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.
Before proceeding, make sure that you do, indeed, have SSH-key authentication access configured for at least one user with sudo privileges.
NOTE: Best practice is that the configured administrative user is not actually the root user.
But, is a non-root user, with sudo privileges.
Note: If you are setting up a DigitalOcean VM, and provided an SSH key when creating a droplet, password authentication may have been automatically disabled. You can still verify this by reading on.
Once you’ve confirmed that your remote account has administrative privileges (has sudo access), log into your remote server with SSH keys.
Then, open up the SSH daemon’s configuration file:
sudo nano /etc/ssh/sshd_configInside the SSH config file, search for a directive called PasswordAuthentication.
This line may be commented out with a # at the beginning of the line.
Uncomment the line by removing the #, and set the value to no.
This will disable your ability to log in via SSH using account passwords:
. . .
PasswordAuthentication no
. . .Save and close the config file when you are finished by pressing CTRL+X, then Y to confirm saving the file.
To actually activate the updated SSH config changes, we need to restart the sshd service:
sudo systemctl restart sshAs a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing your current session:
ssh username@remote_hostOnce you have verified your SSH service is functioning properly, you can safely close all current server sessions.
The SSH daemon on your Ubuntu server now only responds to SSH-key-based authentication.
Password-based logins have been disabled.
No Comments