Disable Password Authentication and Use SSH Keys on Linux Ubuntu Server
Learn how to improve Linux Ubuntu server security by disabling password-based SSH authentication and using SSH keys for secure, encrypted access. Safeguard your server against attacks.
Introduction
Passwords are often a weak point in server security. They can be vulnerable to brute-force attacks, even if complex. A more secure alternative is to disable password authentication and use SSH keys to access your server. In this guide, you'll learn how to disable password authentication on an Ubuntu server and configure SSH key-based access.
Why Use SSH Key Authentication?
SSH keys provide several advantages over password-based authentication:
- Enhanced Security: SSH keys offer stronger encryption (2048 or 4096-bit), making them difficult to crack.
- Eliminates Brute Force Attacks: Without passwords to guess, brute-force attacks become impossible.
- Simplified Access: You no longer need to remember passwords to log into your server.
Prerequisites
Before proceeding, ensure that you have:
- SSH access to your Ubuntu server with
sudoprivileges. - An SSH client on your local machine (usually installed by default on Linux/macOS).
- An SSH key pair (or be ready to generate one).
Step 1: Generate an SSH Key Pair
If you don’t already have an SSH key pair, you can generate one using the following command on your local machine:
ssh-keygen -t rsa -b 4096
- When prompted, press Enter to save the key pair in the default location (
~/.ssh/id_rsa). - Optionally, set a passphrase for extra security.
Your public key will be saved as ~/.ssh/id_rsa.pub and your private key as ~/.ssh/id_rsa.
Step 2: Copy SSH Public Key to Your Ubuntu Server
To enable SSH key-based authentication, you need to copy your public key to the Ubuntu server. You can do this easily with the following command:
ssh-copy-id username@your_server_ip
Replace username with your server’s username and your_server_ip with your server’s IP address.
Manual Method
If ssh-copy-id isn’t available, you can manually copy your key using:
cat ~/.ssh/id_rsa.pub | ssh username@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
For Windows PowerShell:
Get-Content $env:USERPROFILE\.ssh\id_rsa.pub | ssh <user>@<hostname> "cat >> .ssh/authorized_keys"
Step 3: Log in Using SSH Key Authentication
After copying the public key, test the key-based login by running:
ssh username@your_server_ip
If everything is set up correctly, you will be able to log in without being asked for a password.
Step 4: Disable Password Authentication
Now that you can log in using SSH keys, it’s time to disable password authentication to improve security.
- Log in to your server via SSH:
ssh username@your_server_ip
- Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
- Locate and change the following lines to
no:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
You might not find ChallengeResponseAuthentication, if that is the case, add a new line.
- Save and close the file (Ctrl + X, then Y, and press Enter).
- Restart the SSH service to apply the changes:
sudo systemctl restart ssh
Step 5: Test the Configuration
Before closing your current SSH session, open a new terminal window and test whether you can still log in:
ssh username@your_server_ip
If you can log in without being prompted for a password, password authentication has been successfully disabled.
Step 6: Optional – Disable Root Login
For added security, you can also disable root login. This will prevent anyone from logging in directly as the root user over SSH.
- Open the SSH configuration file again:
sudo nano /etc/ssh/sshd_config
- Find and set the following line to no:
PermitRootLogin no
- Save and close the file, then restart the SSH service:
sudo systemctl restart ssh
Even though direct root login is disabled, you can still use sudo to perform administrative tasks as a regular user.
Conclusion
By disabling password authentication and switching to SSH key-based login, you enhance your Ubuntu server’s security, reducing the risk of brute-force attacks. Be sure to keep your private key secure, and consider adding extra security measures like two-factor authentication or tools like Fail2Ban for an extra layer of protection.