Enable or disable SSH password auth
There are two primary ways you can provide credentials to log into a server over SSH:
- Password authentication — Provide the password for the user you are logging in as.
- Public key authentication — Prove you own the private key that corresponds to the public key for the user you are logging in as.
For advanced users, SSH public key authentication is usually preferred.
Once you are familiar with SSH keys, using and managing SSH keys is actually easier than using and managing passwords. However, there is nothing fundamentally insecure about password authentication as long as strong passwords are used.
Password auth default
If the PasswordAuthentication directive is not set in the SSH service’s configuration,
password authentication is enabled.
This is because the default setting for PasswordAuthentication is yes.
Enterprise cloud providers such as Google Cloud and AWS disable password authentication by default in a server’s SSH configuration.
Disable SSH password auth
To disable SSH password authentication on a server,
first SSH into the server as root.
Next, find any existing PasswordAuthentication directives in
the sshd (SSH daemon) configuration files.
grep -RP '^(?<!#)\s*PasswordAuthentication' /etc/ssh/sshd_config /etc/ssh/sshd_config.dThe above grep command will exclude any configuration lines
that start with a hash (#) which are comments that are ignored by SSH.
If the PasswordAuthentication directive exists in the SSH service’s configuration,
each occurrence will be shown on a separate line.
The filename where the directive was found will be shown at the start of the line
followed by a colon (:) and the matching line.
For example, the output below shows that the PasswordAuthentication
directive was found in the file /etc/ssh/sshd_config.d/50-cloud-init.conf.
/etc/ssh/sshd_config.d/50-cloud-init.conf:PasswordAuthentication yesTo disable password authentication, use a command-line text editor to edit any files that contain the following:
PasswordAuthentication yesChange all occurrences of the above line to:
PasswordAuthentication noFinally, restart the SSH service.
sudo service ssh restartEnable SSH password auth
To enable SSH password authentication on a server,
first SSH into the server as root.
Next, find any existing PasswordAuthentication directives in
the sshd (SSH daemon) configuration files.
grep -RP '^(?<!#)\s*PasswordAuthentication' /etc/ssh/sshd_config /etc/ssh/sshd_config.dThe above grep command will exclude any configuration lines
that start with a hash (#) which are comments that are ignored by SSH.
If the PasswordAuthentication directive exists in the SSH service’s configuration,
each occurrence will be shown on a separate line.
The filename where the directive was found will be shown at the start of the line
followed by a colon (:) and the matching line.
For example, the output below shows that the PasswordAuthentication
directive was found in the file /etc/ssh/sshd_config.d/50-cloud-init.conf.
/etc/ssh/sshd_config.d/50-cloud-init.conf:PasswordAuthentication noTo enable password authentication, use a command-line text editor to edit any files that contain the following:
PasswordAuthentication noChange all occurrences of the above line to:
PasswordAuthentication yesFinally, restart the SSH service.
sudo service ssh restartTest whether password auth is enabled
To determine whether a server has password authentication enabled,
run the following command while SSH’d into the server.
To instead test a remote server,
replace localhost in the command with the server’s IP address.
ssh -n \ -o Batchmode=yes \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ fakeuser@localhost 2>&1 | grep passwordThe following output means password authentication is enabled:
fakeuser@localhost: Permission denied (publickey,password).The following output means password authentication is disabled:
fakeuser@localhost: Permission denied (publickey).