In this tutorial we will take a look at how we can disable SSH password authentication on a Linux VPS and setup SSH key-based authentication as this is considered a good security practice.We tested this tutorial on an Ubuntu 16.04 VPS, although it should work with any distribution of your choice as well.
1. Log in to your VPS
Let’s start by logging in to your Linux VPS using the ssh command:
# ssh root@your-server-ip
2. Create a new user account
Best practice would be to create a new user account so if somebody gets their hands on your key and uses your key to log in to this account they will still have to type in a password to get root permissions.
First make sure sudo is installed, for Debian/Ubuntu based distributions type:
# apt-get update # apt-get install -y sudo
For CentOS/RHEL based distributions type:
# yum install -y sudo
For Debian/Ubuntu use the following command to create a new user and add it to the sudo group:
# useradd -m -s /bin/bash -G sudo linuxcloudvps
For CentOS/RHEL you need to add the user in the wheel group, enter this command instead of the command above:
# useradd -m -s /bin/bash -G wheel linuxcloudvps
Now set a password for the user we just created:
# passwd linuxcloudvps Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
3. Create and copy the SSH keys
This command must be executed on your local machine and will ask you for a passphrase, if you enter a passphrase for your key you will be asked for the passphrase on every SSH session you make to your VPS, let’s generate the key:
# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/linuxcloudvps/.ssh/id_rsa): Created directory '/home/linuxcloudvps/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/linuxcloudvps/.ssh/id_rsa. Your public key has been saved in /home/linuxcloudvps/.ssh/id_rsa.pub. The key fingerprint is: SHA256:MYLCbBV380UpUoexHNn1cMOtHomLK4zk8T+9BJU/pyM linuxcloudvps@your-server-hostname The key's randomart image is: +---[RSA 2048]----+ | o.. o.+*+o+.o| | o . o ..++=o. =o| | = . . o.+.o. o.| | . . . o ...+ | | S .. oo..| | o ... .+ | | o = oE o | | o + o... . | | o.... | +----[SHA256]-----+
Now copy the key to your Linux VPS:
# ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcloudvps@your-server-ip /usr/local/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/linuxcloudvps/.ssh/id_rsa.pub" /usr/local/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/local/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys linuxcloudvps@your-server-ip's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'linuxcloudvps@your-server-ip'" and check to make sure that only the key(s) you wanted were added.
Try to login with the key and see if the key-based authentication works now:
# ssh linuxcloudvps@your-server-ip
You should see the welcoming message of your chosen distribution, in our case that’s Ubuntu 16.04:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 2.6.32-042stab120.11 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. linuxcloudvps@your-server-hostname:~$
Test if you can obtain root permissions by entering the following command:
# sudo su
Sudo will ask for a password, enter the password you set above for the linuxcloudvps user.
If everything goes well you can proceed to the next step.
4. Disable SSH password authentication and root login
Now we will edit the file “/etc/ssh/sshd_config” to disable SSH password and root login:
nano /etc/ssh/sshd_config
Find and change the following settings to no:
PermitRootLogin no ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
Save and exit the file, reload the configuration of the SSH server with the following command:
# service sshd reload
5. Verification
Now test to see if you disabled root login successfully:
# ssh root@your-server-ip Permission denied (publickey).
And then test if you have disabled SSH password authentication successfully:
# ssh linuxcloudvps@your-server-ip Permission denied (publickey).
That’s it, now you’ve successfully disabled SSH password authentication and enabled SSH key-based authentication on your Linux VPS. Your Linux server will only accept key based login, including the root user.
Disabling SSH password authentication on a Linux VPS is an easy task if you have a VPS Hosting with us. Feel free to ask our expert Linux Administrators to help you disable SSH password authentication on your Linux server for you, and it will be taken care of immediately. They are available 24×7, so you can get the help you need at any time.
PS. Feel free to share this blog post if you liked it by using the social network shortcuts – you can also leave a comment instead in the comment section under the share buttons.
Thank you for that very detailed guide! Is there a way to prevent ssh from giving out any information? I.e. that, if I try to log in, I do not get the response “Permission denied (publickey)” but instead a simple “Connection refused” or the response “Password:” (even though there is none and I can try to brute force till the end of the world) etc?
You can check our other post about OpenSSH hardening here:
https://www.linuxcloudvps.com/blog/how-to-harden-openssh-on-ubuntu-20-04/