Linux disable password ssh

How to Setup Passwordless SSH Login

Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are passwords based authentication and public key based authentication.

In this tutorial, we will show you how to setup an SSH key-based authentication as well how to connect to your Linux server without entering a password.

Setup SSH Passwordless Login #

To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.

The following steps will describe the process for configuring passwordless SSH login:

    Check for existing SSH key pair. Before generating a new SSH key pair first check if you already have an SSH key on your client machine because you don’t want to overwrite your existing keys. Run the following ls command to see if existing SSH keys are present:

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):

Next, the ssh-keygen tool will ask you to type a secure passphrase. Whether you want to use passphrase it’s up to you, if you choose to use passphrase you will get an extra layer of security. In most cases, developers and system administrators use SSH without a passphrase because they are useful for fully automated processes. If you don’t want to use a passphrase just press Enter .

Enter passphrase (empty for no passphrase):

The whole interaction looks like this: To be sure that the SSH keys are generated you can list your new private and public keys with:

/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub
ssh-copy-id remote_username@server_ip_address
remote_username@server_ip_address's password:

Once the user is authenticated, the public key will be appended to the remote user authorized_keys file and connection will be closed. If by some reason the ssh-copy-id utility is not available on your local computer you can use the following command to copy the public key:

cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
ssh remote_username@server_ip_address

Disabling SSH Password Authentication #

To add an extra layer of security to your server you can disable the password authentication for SSH.

Before disabling the SSH password authentication make sure you can log in to your server without a password and the user you are logging in with has sudo privileges.

The following tutorials describe how to configure sudo access:

ssh sudo_user@server_ip_address
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no

Once you are done save the file and restart the SSH service. On Ubuntu or Debian servers, run the following command:

sudo systemctl restart ssh
sudo systemctl restart sshd

Conclusion #

In this tutorial you have learned how to set up an SSH key-based authentication, allowing you to login to your remote server without providing a user password. You can add the same key to multiple remote serves.

Читайте также:  Mount block device linux

We have also shown you how to disable SSH password authentication and add an extra layer of security to your server.

If you have any questions or feedback, feel free to leave a comment.

Источник

Disable password authentication in ssh

in /etc/ssh/sshd_config and you saved the file, you have to restart your ssh server using the following command in terminal:

What is the difference between restarting ssh service and restarting sshd service? Why do we want to restart ssh instead of sshd?

@Hatshepsut: it’s an Ubuntu thing, and it’s damn annoying. On Red Hat based systems, it’s ‘service sshd’

Before disabling ssh password authentication please make sure your access with private key works as expected. Once confirmed, you can disable password authentication. I’d suggest following changes to secure the server even more.

Edit file with: sudo nano /etc/ssh/sshd_config

Please make sure you have following values enabled in the file:

PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no 

Save file and then restart ssh service

sudo systemctl restart ssh 

Edit: There is a question what these parameters do. Let’s go through them one by one. For the most current version you can alway go to manual page OpenSSH SSH daemon configuration file

1. PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or «no”. The default is “yes”. If this option is set to “without-password”, password authentication is disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

Not permitting ‘Root login’ using password is considered stronger security than allowing it. That said, you should not be logging into root at all, unless no other method (sudo, etc.) will work.

2. PasswordAuthentication

Specifies whether password authentication is allowed. The default is “yes”.

This is basically it. If this is «no», you are not allowed to login using login and password but . you can bypass it with other options so please read on.

3. ChallengeResponseAuthentication

Specifies whether challenge-response authentication is allowed (e.g. via PAM). The default is “yes”.

UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.

Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. The default is “no”.

And in the end some info from Ubuntu manual linked above. The defaults may vary so if you want to secure your server, I’d recommend to use set those options mentioned at the top explicitly.

  • ChallengeResponseAuthentication no
  • X11Forwarding yes
  • PrintMotd no
  • AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
  • UsePAM yes
Читайте также:  Installing new packages in linux

Источник

How to disable password login on Linux

After reading this tutorial, you will know how to disable ssh password login enabling key authentication instead, increasing your system security. If you are looking for a way to disable the root login only, check this tutorial instead.

Disabling ssh password login:

The section of this tutorial about ssh focuses on the configuration file /etc/ssh/sshd_config, which like any other system configuration file, must be edited with root privileges.

Open the file /etc/ssh/sshd_config with root privileges. The command below can be used to open sshd_config using a nano text editor.

Scroll down the file and find the line containing “PasswordAuthentication yes” shown in the screenshot below. You can use the nano CTRL+W (Where) key combination to search the line containing “PasswordAuthentication”.

Edit the line leaving it as shown in the screenshot below, replacing yes with no.

Now your ssh password login is configured to be disabled after you save the file and restart the ssh service. You can exit the file edition saving settings by pressing CTRL+X.

To restart the ssh service and apply changes, run the following command.

Now the password authentication is disabled for incoming ssh connections.

Note: If you only want to disable the password authentication method, you may probably prefer to delete the ssh service; if that’s what you want, there are instructions at the end of this section.

Enabling ssh key authentication:

Key authentication is different from the password authentication method. Depending on the environment, it has advantages and disadvantages over the default password login method.

When using key authentication, we talk about a technique including two different keys: a public key and a private key. In this case, the public key is stored in the server accepting logins; this public key can be decrypted only with the private key, stored in devices allowed to connect through ssh (clients).

Both public and private keys are generated simultaneously by the same device. In this tutorial, both public and private keys are generated by the client, and the public key is shared with the server. Before starting with this tutorial’s section, let’s numerate key authentication benefits over default password login.

Key authentication advantages:

  • Strong generated key by default, stronger than most used human-made passwords
  • The private key remains in the client; contrary to passwords, it can’t be sniffed
  • Only devices storing the private key can connect (this can be considered a disadvantage too)

Password advantages over key authentication:

  • You can connect from any device without a private key
  • If the device is locally accessed, the password isn’t stored to be cracked
  • Easier to distribute when allowing access to multiple accounts

To generate the public and private keys, login as the user you want to provide ssh access and generate the keys by running the command below.

After running ssh-keygen, you will be requested to type a passphrase to encrypt your private key. Most ssh accessible devices do not have a passphrase; you can leave it empty or type a passphrase encrypting your private key if it’s leaked.

Читайте также:  Astra linux поддержка ntfs

As you can see in the screenshot above, the private key is saved in the ~/.ssh/id_rsa file by default, located in the user’s home directory when creating the keys. The public key is stored in the file ~/.ssh/id_rsa.pub located in the same user directory.

Sharing or copying the public key to the server:

Now you have both public and private keys on your client device, and you need to transfer the public key to the server you want to connect to through key authentication.

You can copy the file in any way you prefer; this tutorial shows how to use the ssh-copy-id command to achieve it.

Once the keys are generated, run the command below, replacing linuxhint with your username and 192.168.1.103 with your server IP address, this will copy the generated public key to the server’s user ~/.ssh directory. You will be asked for the user password to save the public key, type it, and press ENTER.

Once the public key was copied, you can connect to your server without a password by running the following command (replace username and password for yours).

Removing the ssh service:

Probably you want to remove the ssh at all; in such a case removing the service would be an option.

NOTE: After running the commands below on a remote system, you will lose ssh access.

To remove the ssh service, you can run the command below:

If you want to remove the ssh service, including configuration files run:

You can reinstall the ssh service by running:

Now your ssh service is back. Other methods to protect your ssh access may include changing the default ssh port, implementing firewall rules to filter the ssh port, and using TCP wrappers to filter clients.

Conclusion:

Depending on your physical environment and other factors like your security policy, the ssh key authentication method may be recommendable over password login. Since the password isn’t sent to the server to authenticate, this method is safer before Man in the Middle or sniffing attacks; it is also a great way to prevent ssh brute force attacks. The main problem of key authentication is the device must store the private key; it may be uncomfortable if you need to log in from new devices. On the other hand, this may be seen as a security advantage.

Additionally, administrators can use TCP wrappers, iptables, or UFW rules to define allowed or unallowed clients and change the default ssh port.

Some system administrators still prefer password authentication because it is faster to create and distribute between multiple users.

Users who never access the system through ssh may opt to remove this and all unused services.

I hope this tutorial showing how to disable password login in Linux was useful. Keep following Linux Hint for more Linux tips and tutorials.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.

Источник

Оцените статью
Adblock
detector