Disable SSH Password Authentication for added security.

A while ago I wrote a bit about Shared Key Authentication for SSH, and discussed a bit about the benefits of enabling this on your own servers or even desktops. one of which is protecting your server against brute force attacks. However we never discussed that in order for your system to be truly protected from a brute force attack on your password you need to disable password authentication on your server. Please note before attempting this make sure that your keys work because if your configuring your server remotely and you disable password authentication you will lock yourself out. Once you are sure that you can log into the remote host using your private key, we can safely disable the user name/password authentication.

The procedure to set this up is extremely simple. I’ll be showing you this on a Ubuntu Server install with OpenSSH but the procedure is similar on other setups. On a Ubuntu server the file will be located in /etc/ssh/sshd_config. your going to want to add the following to the config file (or change the values if they already exist.

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Once you save the changes you’ll need to reload the SSH server with the following command.

Update 07/17/2012: Thanks to a reeder who pointed out something I missed, Ensure you’ve enabled public key authentication, I’ve noted that most often this is enabled by default but if its not YOU WILL lock yourself out. ensure the following is set in your configuration.

PubkeyAuthentication yes

And then reload the SSH Service.

User@Host:~$ /etc/init.d/sshd reload

Thats it, your server should no longer accept user name/password authentication.

 

14 thoughts on “Disable SSH Password Authentication for added security.

  1. Thats right, never use pw-auth on production servers. And “you will lock yourself out” thou have been warned but .. well, who didnt do that allready ;)

  2. One thing you don’t mention is to include PubKeyAuthentication yes
    or they will be locked out of server after following your advise

  3. I would use the service call rather than directly invoke the init.d script. The service call ensures that the script runs in a stripped down environment and therefore is more repeatable.

    % service sshd restart

  4. Pingback: Setting up a private, encrypted and authenticated chat server with Ytalk over SSH | Luis E's thoughts...

  5. Pingback: Strato-V-Server mit Opensuse 12.3 – IV – SSH Key Authentication | linux-blog – Fa. anracon – Dr. Mönchmeyer

Leave a Reply