Secure Shell (SSH) is a protocol used to access and manage servers securely remotely. By default, SSH is configured to require a password to authenticate the user. While this provides an extra layer of security, it could be better. Hackers can use brute force attacks to crack passwords and gain unauthorized access to your server. Therefore, disabling password authentication in SSH is essential for improving the security of your server.
Follow more for How to block SSH login brute force.
In this article, we will explore the steps involved in disabling password authentication in SSH. We will also discuss why disabling password authentication is crucial for securing your server.
Why disable password authentication in SSH?
Password authentication in SSH has several vulnerabilities. For instance, it can be susceptible to brute force attacks, which are automated attempts to guess the password by using multiple login attempts. This method can be successful if the password is weak, making it easy for attackers to gain unauthorized access to your server.
Another vulnerability of password authentication is that it is vulnerable to man-in-the-middle (MITM) attacks. In this type of attack, an attacker intercepts the communication between the user and the server, allowing them to capture the password and gain access to the server.
Disabling password authentication and using a public key authentication method is a more secure way of logging into your server. Public key authentication uses a pair of keys – a public key and a private key. The public key is installed on the server, while the private key is stored on your local machine. When you try to log in to the server, the server sends a challenge to your local machine, which is then encrypted using your private key. The server then verifies the challenge using the public key installed on the server. If the challenge is successful, the server grants you access.
Steps to disable password authentication in SSH
Here are the steps to disable password authentication in SSH:
- Open your terminal application and log in to your server as the root user.
- Open the SSH configuration file located at
/etc/ssh/sshd_config
using a text editor. For example, you can use thenano
editor as follows:
nano /etc/ssh/sshd_config
- Locate the line that reads
#PasswordAuthentication yes
and change it toPasswordAuthentication no
. You can uncomment the line by removing the # sign at the beginning of the line. It should now read:
PasswordAuthentication no
- Save and close the file.
- Restart the SSH daemon to apply the changes. You can do this by running the following command:
systemctl restart sshd
You have now successfully disabled password authentication in SSH. From now on, you can only log in to your server using public key authentication.
How to set up public key authentication
Now that you have disabled password authentication in SSH, you need to set up public key authentication to log in to your server. Here are the steps involved:
- Generate a public/private key pair on your local machine. You can do this using the
ssh-keygen
command as follows:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
- This command generates a new SSH key using the RSA algorithm with a bit length of 4096, and prompts you to enter a file path and passphrase for the key. We recommend leaving the file path and passphrase blank, as this will create the key in the default location with no passphrase.
- Copy the public key to your server. You can do this using the
ssh-copy-id
command as follows:
ssh-copy-id user@server-ip-address
Replace user
with your username on the server and server-ip-address
with the IP address of your server. You will be prompted to enter your password for the last time. Once you have entered your password, your public key will be added to the authorized_keys
file on your server, allowing you to log in without a password.
- Log in to your server using public key authentication. You can do this by typing the following command:
ssh user@server-ip-address
Replace user
with your username on the server and server-ip-address
with the IP address of your server.
If everything is set up correctly, you should be able to log in to your server without being prompted for a password.
Conclusion
In conclusion, disabling password authentication in SSH is a critical step in securing your server. Password authentication has several vulnerabilities, including susceptibility to brute force attacks and MITM attacks. By disabling password authentication and using public key authentication, you can significantly improve the security of your server.
We have discussed the steps involved in disabling password authentication and setting up public key authentication in SSH. If you follow these steps, you will be able to log in to your server using public key authentication, which is a more secure method of accessing your server.
Remember to always keep your server up to date with security patches and use strong passwords for any accounts that still require a password. By taking these steps, you can significantly improve the security of your server and reduce the risk of unauthorized access.
Learn more
Here are some external links to trusted sources of information related to SSH:
📕 Related articles about Linux
- What is X11Forwarding SSH
- How to check disk health status in Linux
- How to create new user in Linux
- How to Connect to SSH Server: A Comprehensive Guide for Software Developers
- How to extract RAR file in Linux
- How to Check for Disk Error in Linux