Complete Steps to take in order to disable ssh password login on Ubuntu to enhance security

Are you trying to figure out the best way to disable ssh clients from accessing your server via password and only allow ssh login using SSH keys? 


Due to security concerns in Linux Servers, to prevent attackers from using password to access the server via an SSh client such as putty, using encryption keys to authenticate SSH connection is a more secure alternative.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Configuration tasks on their Servers.

In this context, we shall look into how to disable ssh password login on Linux permanently and only use ssh keys for login.


How to generate and Configure SSH keys on a Server to enable login?

In this guide, you have to set up a regular non-privileged user account for your server. After this, you have to configure SSH keys to allow Login.

As soon as SSH Keys is configured, you need to disable password login for all users, including root.

Now, we will look into how to generate an ssh key and disable password authentication on the Linux or Unix-based system.

Here, we will experiment this on Ubuntu 18.04.

Note that this can also be implemented on other Linux distribution such as CentOS, RHEL, Fedora, Debian and so on.

To begin, you need to log into your server via an SSH tool such as putty with the root user.

To do this, run any of the command shown below as per your server IP address or hostname;

ssh root@server-ip-here

ssh root@server1.linuxapt.com 

After logging into your Server successfully, you can now create a new user account for your Server.


How to create a user account on Ubuntu and CentOS?

To create a new user account for instance "linuxapt" on Ubuntu, run the command below;

useradd -m -s /bin/bash linuxapt

Then set the user's password by running the passwd command as shown below;

passwd linuxapt

Now, you will get an output such as;

Enter new UNIX password: 

Retype new UNIX password: 
passwd: password updated successfully

For Ubuntu / Debian users, to wheel supplementary/secondary group, run the command below;

usermod -aG sudo linuxapt

For CentOS/RHEL/Fedora users, to wheel supplementary/secondary group, run the command below;

usermod -aG wheel linuxapt

Note that the above command allows people in group wheel or sudo to run all commands. 

To verify if, run the commands below;

su - linuxapt

id linuxapt

You will see the following output;

uid=1000(linuxapt) gid=1000(linuxapt) groups=1000(linuxapt),27(sudo)

Next, exit the user from the shell, run the command below;

logout

In this case, note that you can add existing users to sudo or wheel group too. There is no need to create a new user account. To do this, run the commands below;

# usermod -aG sudo userName #Debian/Ubuntu

# usermod -aG wheel userName #CentOS/RHEL

How to install ssh keys on a remote machine?

To create the key pair, run the command below;

ssh-keygen -t rsa

Then, install the public key in the remote server by running the command below;

ssh-copy-id -i $HOME/.ssh/id_rsa.pub linuxapt@server1.linuxapt.com

You will get the output as shown below;

/usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed:

"/Users/linuxapt/.ssh/id_rsa.pub"

/usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
linuxapt@ln.cbzc01's password: 
Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'linuxapt@server1.linuxapt.com'"

and check to make sure that only the key(s) you wanted were added.

Now test the ssh keybase login by running the command below;

ssh linuxapt@server1.linuxapt.com

You will get an output as shown below;

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.8.6-x86_64-linode78 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
linuxapt@ubuntu:~$ 

To run a command as administrator (user "root"), you can use "sudo {command}" as shown below;

sudo ls /root/

To enter root shell, run the command below;

sudo -s

How to disable root login and password based login?

Here, you have to modify the "/etc/ssh/sshd_config" file by running the command as shown below;

sudo vi /etc/ssh/sshd_config

In this file, look for the attribute "ChallengeResponseAuthentication" and set it to no as shown below;

ChallengeResponseAuthentication no

The next thing is to find the attribute "PasswordAuthentication" and set it no as shown below;

PasswordAuthentication no

Now search for "UsePAM" and set to no as seen below;

UsePAM no

Also, find the attribute "PermitRootLogin" and set it to no as well as shown below;

PermitRootLogin no

Now, save and close the file. After this, reload the ssh service by running the command below;

/etc/init.d/ssh reload

For systemd based Linux distros, you can use the systemctl command shown below;

sudo systemctl reload ssh

For RHEL/CentOS servers, reload the ssh service by running the command below;

/etc/init.d/sshd reload

For CentOS/RHEL 7.x or the latest version of Fedora, you can run the command below to reload the ssh service;

sudo systemctl reload sshd

How to test the SSH keys configuration?

Start by logging into the Server as the root user by running the command below;

ssh root@server1.linuxapt.com

You will get an output such as this;

Permission denied (publickey).

Next, try to login with password only as shown below;

ssh linuxapt@server1.linuxapt.com -o PubkeyAuthentication=no

Again, you will get an output such as this;

Permission denied (publickey).

Need to disable password authentication for SSH on Ubuntu operating systems? We are available to help you today.

In this article, you will learn how to disable password authentication for SSH including the root user. This will enable the server to only accept key based login and the root user can not login with password.

Related Posts