Disable Linux ssh password login to increase security

I wish to disable ssh shoppers from accessing utilizing the password and solely enable ssh login utilizing SSH keys. How do I disable password authentication for SSH on Linux working programs?

This web page explains methods to disable ssh password login on Linux completely and solely use ssh keys for login. So, first, you could arrange an everyday non-privileged person account. Subsequent, configure SSH keys for login. After you have SSH Keys configured, you could disable password login for all customers, together with root. This web page explains to you methods to generate an ssh key and disable password authentication on the Linux or Unix-based system. For demo functions, I’m utilizing a Ubuntu Linux right here, nevertheless it ought to work with different Linux distros akin to CentOS/RHEL/Fedora/Debian and so forth.

Step 1 – Login to the distant server

Use the ssh command or shopper akin to Putty:
$ ssh [email protected]
$ ssh [email protected]

Step 2 – Create a brand new person account

Kind the next command on Linux primarily based system to create a brand new person named vivek:
# useradd -m -s /bin/bash vivek
Set the person’s password utilizing the passwd command:
# passwd vivek
Pattern outputs:

Enter new UNIX password:
Retype new UNIX password:
passwd: password up to date efficiently

Add person to sudo (Ubuntu/Debian) group. In case you are utilizing a CentOS/RHEL/Fedora Linux add customers to wheel supplementary/secondary group:
# usermod -aG sudo vivek
RHEL/CentOS Linux customers, sort:
# usermod -aG wheel vivek
The above command permits folks in group wheel or sudo to run all instructions. Confirm it utilizing the id command:
# su – vivek
$ id vivek
Pattern outputs:

uid=1000(vivek) gid=1000(vivek) teams=1000(vivek),27(sudo)

Exit a login shell:
$ logout
Disable Linux ssh password login to increase security
Please notice you can add present customers to sudo or wheel group too. No have to create a brand new person account:
# usermod -aG sudo userNameHere #Debian/Ubuntu
# usermod -aG wheel userNameHere #CentOS/RHEL

Step 3 – Set up ssh keys on a distant machine

All command have to be executed on native system/desktop/macos/freebsd workstation. Create the important thing pair:
$ ssh-keygen -t rsa
Set up the general public key in distant server:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
Pattern outputs:

/usr/native/bin/ssh-copy-id: INFO: Supply of key(s) to be put in: “/Customers/vivek/.ssh/id_rsa.pub”
/usr/native/bin/ssh-copy-id: INFO: trying to log in with the brand new key(s), to filter out any which might be already put in
/usr/native/bin/ssh-copy-id: INFO: 1 key(s) stay to be put in — if you’re prompted now it’s to put in the brand new keys
[email protected]’s password:

Variety of key(s) added: 1

Now strive logging into the machine, with: “ssh ‘[email protected]’”
and test to guarantee that solely the important thing(s) you wished had been added.

Check ssh keybase login:
$ ssh [email protected]
Pattern outputs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

* Documentation: https://assist.ubuntu.com
* Administration: https://panorama.canonical.com
* Help: https://ubuntu.com/benefit
To run a command as administrator (person “root”), use “sudo “.
See “man sudo_root” for particulars.

[email protected]:~$

To run a command as administrator (person “root”), use “sudo {command}”. For instance:
$ sudo ls /root/
To realize root shell, enter:
$ sudo -s
See How To Setup SSH Keys on a Linux / Unix System for extra info.

Step 4 – Disable root login and password primarily based login

We have to log in into server utilizing newly created person named vivek:
ssh [email protected]
ssh [email protected]
Edit the /and so forth/ssh/sshd_config file, enter:
$ sudo vi /and so forth/ssh/sshd_config
Discover ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Subsequent, discover PasswordAuthentication set to no too:

PasswordAuthentication no

Seek for UsePAM and set to no, too:

UsePAM no

Lastly search for PermitRootLogin and set to no too:

PermitRootLogin no

Save and shut the file. Reload or restart the ssh server on Linux:
# /and so forth/init.d/ssh reload
We will use the systemctl command for systemd primarily based Linux distros:
$ sudo systemctl reload ssh
One can use the next on RHEL/CentOS Linux:
# /and so forth/init.d/sshd reload
Once more for systemd primarily based distro akin to CentOS/RHEL 7.x or the newest model of Fedora, strive:
$ sudo systemctl reload sshd

Step 5 – Verification

Attempt to login as root:
$ ssh [email protected]
Permission denied (publickey).
Attempt to login with password solely:
$ ssh [email protected] -o PubkeyAuthentication=no
Permission denied (publickey).

Conclusion

And there you might have it, password authentication for SSH disabled together with root person. Your server will now solely settle for key primarily based login and the foundation person can’t login with password. See “High 20 OpenSSH Server Finest Safety Practices” for more information.

ADVERTISEMENTS

Posted by: Vivek Gite

The creator is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a coach for the Linux working system/Unix shell scripting. Get the newest tutorials on SysAdmin, Linux/Unix and open supply matters by way of RSS/XML feed or weekly e-mail e-newsletter.

ssh disable password login for user,disable ssh login for all users,ubuntu 18.04 disable ssh password login,usepam,disable ssh login for user,ssh enable password authentication for one user,challengeresponseauthentication,remove password prompt for ssh

Share:

administrator