Are you trying to figure out the best way to disable ssh clients from accessing your server via password and only allow ssh login using SSH keys?
Due to security concerns in Linux Servers, to prevent attackers from using password to access the server via an SSh client such as putty, using encryption keys to authenticate SSH connection is a more secure alternative.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Configuration tasks on their Servers.
In this context, we shall look into how to disable ssh password login on Linux permanently and only use ssh keys for login.
In this guide, you have to set up a regular non-privileged user account for your server. After this, you have to configure SSH keys to allow Login.
As soon as SSH Keys is configured, you need to disable password login for all users, including root.
Now, we will look into how to generate an ssh key and disable password authentication on the Linux or Unix-based system.
Here, we will experiment this on Ubuntu 18.04.
Note that this can also be implemented on other Linux distribution such as CentOS, RHEL, Fedora, Debian and so on.
To begin, you need to log into your server via an SSH tool such as putty with the root user.
To do this, run any of the command shown below as per your server IP address or hostname;
ssh root@server-ip-here
ssh root@server1.linuxapt.com After logging into your Server successfully, you can now create a new user account for your Server.
To create a new user account for instance "linuxapt" on Ubuntu, run the command below;
useradd -m -s /bin/bash linuxapt
Then set the user's password by running the passwd command as shown below;
passwd linuxapt
Now, you will get an output such as;
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfullyFor Ubuntu / Debian users, to wheel supplementary/secondary group, run the command below;
usermod -aG sudo linuxapt
For CentOS/RHEL/Fedora users, to wheel supplementary/secondary group, run the command below;
usermod -aG wheel linuxapt
Note that the above command allows people in group wheel or sudo to run all commands.
To verify if, run the commands below;
su - linuxapt
id linuxaptYou will see the following output;
uid=1000(linuxapt) gid=1000(linuxapt) groups=1000(linuxapt),27(sudo)
Next, exit the user from the shell, run the command below;
logout
In this case, note that you can add existing users to sudo or wheel group too. There is no need to create a new user account. To do this, run the commands below;
# usermod -aG sudo userName #Debian/Ubuntu
# usermod -aG wheel userName #CentOS/RHELHow to install ssh keys on a remote machine?
To create the key pair, run the command below;
ssh-keygen -t rsa
Then, install the public key in the remote server by running the command below;
ssh-copy-id -i $HOME/.ssh/id_rsa.pub linuxapt@server1.linuxapt.com
You will get the output as shown below;
/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed:
"/Users/linuxapt/.ssh/id_rsa.pub"
/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
linuxapt@ln.cbzc01's password:
Number of key(s) added: 1Now try logging into the machine, with: "ssh 'linuxapt@server1.linuxapt.com'"
and check to make sure that only the key(s) you wanted were added.
Now test the ssh keybase login by running the command below;
ssh linuxapt@server1.linuxapt.com
You will get an output as shown below;
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
linuxapt@ubuntu:~$ To run a command as administrator (user "root"), you can use "sudo {command}" as shown below;
sudo ls /root/
To enter root shell, run the command below;
sudo -s
How to disable root login and password based login?
Here, you have to modify the "/etc/ssh/sshd_config" file by running the command as shown below;
sudo vi /etc/ssh/sshd_config
In this file, look for the attribute "ChallengeResponseAuthentication" and set it to no as shown below;
ChallengeResponseAuthentication no
The next thing is to find the attribute "PasswordAuthentication" and set it no as shown below;
PasswordAuthentication no
Now search for "UsePAM" and set to no as seen below;
UsePAM no
Also, find the attribute "PermitRootLogin" and set it to no as well as shown below;
PermitRootLogin no
Now, save and close the file. After this, reload the ssh service by running the command below;
/etc/init.d/ssh reload
For systemd based Linux distros, you can use the systemctl command shown below;
sudo systemctl reload ssh
For RHEL/CentOS servers, reload the ssh service by running the command below;
/etc/init.d/sshd reload
For CentOS/RHEL 7.x or the latest version of Fedora, you can run the command below to reload the ssh service;
sudo systemctl reload sshd
How to test the SSH keys configuration?
Start by logging into the Server as the root user by running the command below;
ssh root@server1.linuxapt.com
You will get an output such as this;
Permission denied (publickey).
Next, try to login with password only as shown below;
ssh linuxapt@server1.linuxapt.com -o PubkeyAuthentication=no
Again, you will get an output such as this;
Permission denied (publickey).
Need to disable password authentication for SSH on Ubuntu operating systems? We are available to help you today.
In this article, you will learn how to disable password authentication for SSH including the root user. This will enable the server to only accept key based login and the root user can not login with password.
