In previous tutorials in this series, we went over generating SSH keys and how to use them.  We’ll wrap up the series by showing you how to turn off password authentication on your server.

Why Configure for SSH Key Authentication Only

As mentioned in Part 1, SSH key authentication requires both “something you know” (the passphrase) and “something you have” (the SSH private key file).  Some attacker on the other side of the world might guess or brute force your password, or if you’re sloppy you might reuse it on some breached web site.  But none of that matters if the bad guy doesn’t have your SSH private key file.

This doesn’t mean you shouldn’t still use strong passphrases with your SSH private key file.  If for some reason, your client system (such as your home PC or laptop) was compromised, then security rests with this passphrase, so follow normal best practices for strong passphrases.

Disabling Password Authentication

First, test that SSH key authentication works (see Part 2) so you don’t lock yourself out.

Using your favorite editor (such as vi or nano), edit the /etc/ssh/sshd_config file.  The location is the same on both Debian- and CentOS-based systems.

    sudo vi /etc/ssh/sshd_config

Change these lines as follows:

    PubkeyAuthentication yes
    PasswordAuthentication no

Then restart sshd:

    systemctl restart sshd  

Now try to login.  Here I will use an account that was setup and has not had an ssh key configured:

    $ ssh testuser@myserver
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 

Wrapping Up

Here are the key takeaways from this series:

• SSH key authentication is based on public key encryption.  The private key should be zealously protected.  On the other hand, the public key does not need to be kept secret.  The public key is what is installed on various servers you wish to connect to.
• SSH key authentication is superior to passwords because it requires the user to have the SSH key file in his/her possession, not merely know a secret passphrase.
• You should set a solid passphrase on your SSH private key file in case it is lost/stolen/compromised.
• The ssh-copy-id utility allows you to very easily setup your SSH key on remote systems if you have a Linux or macOS client.  On Windows, you’ll need to proceed with manual steps.
• Disabling password authentication on your servers completes the security setup.  Once done, the security of your server is significantly improved.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• COMMUNITY NEWS: RackNerd LLC, Global IaaS Provider, Expands European Footprint with New Dublin, Ireland Datacenter - November 16, 2024
• Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
• Inception Hosting is Closing Its Doors - November 12, 2024