Disable password authentication for SSH

Learn disable password authentication for ssh with practical examples, diagrams, and best practices. Covers ubuntu, ssh development techniques with visual explanations.
Tags:
Categories:

Enhancing SSH Security: Disabling Password Authentication on Ubuntu

Illustration of a padlock and an SSH key, symbolizing enhanced security for remote access.

Learn how to disable password-based SSH authentication on Ubuntu, enforcing the use of SSH keys for a more secure remote access setup.

Securing your SSH server is paramount for protecting your remote systems from unauthorized access. One of the most effective ways to bolster SSH security is by disabling password authentication and exclusively relying on SSH key pairs. This method eliminates the risk of brute-force attacks targeting weak passwords and provides a much stronger authentication mechanism. This article will guide you through the process of configuring your Ubuntu server to only accept SSH key-based authentication.

Understanding SSH Key Authentication

SSH key authentication involves a pair of cryptographic keys: a public key and a private key. The public key is placed on the server you wish to access, while the private key remains securely on your local machine. When you attempt to connect, the server challenges your client, which then uses its private key to prove its identity. This handshake is significantly more secure than password-based authentication, as private keys are typically long, complex, and not susceptible to dictionary attacks.

sequenceDiagram
    participant Client
    participant Server

    Client->>Server: Connection Request
    Server->>Client: Send Public Key
    Client->>Server: Encrypt Session Key with Public Key
    Server->>Client: Decrypt Session Key with Private Key
    alt Authentication Success
        Server->>Client: Grant Access
    else Authentication Failure
        Server->>Client: Deny Access
    end

SSH Key Authentication Flow

Prerequisites: Generating SSH Keys

Before disabling password authentication, ensure you have an SSH key pair generated and your public key is already installed on the server. If you haven't done so, you can generate a new key pair on your local machine using the ssh-keygen command. The public key (typically ~/.ssh/id_rsa.pub) then needs to be copied to the server's ~/.ssh/authorized_keys file.

ssh-keygen -t rsa -b 4096
ssh-copy-id user@your_server_ip

Generating and copying SSH keys to the server

Disabling Password Authentication

The SSH daemon's configuration file, sshd_config, controls all aspects of SSH server behavior. To disable password authentication, you need to edit this file and restart the SSH service. Always make a backup of the configuration file before making changes.

1. Step 1: Backup the SSH configuration file

It's good practice to create a backup of the original sshd_config file before making any modifications. This allows you to revert changes if something goes wrong.

2. Step 2: Edit the SSH daemon configuration

Open the sshd_config file using a text editor like nano or vim. You'll need superuser privileges to modify this file.

3. Step 3: Modify authentication settings

Locate the following lines and ensure they are set as shown. If a line is commented out (starts with #), uncomment it and set the value. If a line doesn't exist, add it.

4. Step 4: Restart the SSH service

After saving your changes, you must restart the SSH service for the new configuration to take effect. This will apply the security changes.

5. Step 5: Test the new configuration

From a new terminal window (keeping the old one open as a fallback), try to connect to your server. If you are prompted for a password, it means the configuration was not applied correctly or there's an issue. If it connects without a password prompt, success!

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_config

Backup and open sshd_config for editing

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no

Key configuration lines in sshd_config

sudo systemctl restart sshd
# Or for older systems:
sudo service ssh restart

Restarting the SSH service

By following these steps, you have successfully disabled password authentication for SSH on your Ubuntu server, significantly enhancing its security posture. Always remember to keep your private SSH keys secure and never share them.