How to Configure Ssh Key Authentication and Disable Password Login on Linux Servers

Learning how to configure SSH key authentication and disable password login on Linux servers is essential for securing your infrastructure against brute-force attacks and unauthorized access. SSH key authentication provides a more secure alternative to password-based logins by using cryptographic key pairs instead of traditional passwords. This method eliminates the risk of weak passwords and significantly reduces the attack surface of your server.

SSH keys work through public-key cryptography, where you generate a pair of keys: a private key that stays on your local machine and a public key that gets installed on the server. When you connect, the server verifies your identity using these keys rather than asking for a password. This approach is not only more secure but also more convenient for system administrators who manage multiple servers.

By the end of this tutorial, you’ll understand how to generate SSH key pairs, configure your Linux server to accept key-based authentication, and completely disable password logins to enhance your server’s security posture. This configuration is particularly important for production servers, cloud instances, and any system accessible from the internet.

Prerequisites and Requirements for SSH Key Authentication Setup

Before you begin learning how to configure SSH key authentication and disable password login on Linux servers, ensure you meet these essential requirements. You’ll need root or sudo access to the target Linux server, along with SSH access using your current authentication method (typically username and password).

Your local machine should have an SSH client installed. Most Linux distributions and macOS include SSH by default. Windows users can use PuTTY, Windows Subsystem for Linux, or the built-in OpenSSH client available in Windows 10 and later versions.

You should have basic familiarity with command-line operations and text editing in Linux. This tutorial assumes you understand how to navigate directories, edit files using editors like nano or vim, and execute commands with sudo privileges.

The estimated completion time for this tutorial is 15-30 minutes, depending on your experience level. Having a backup method to access your server is crucial in case something goes wrong during the configuration process. This could be console access through your hosting provider’s control panel or physical access to the machine.

Ensure your server is running a recent version of OpenSSH server. Most modern Linux distributions include compatible versions, but you can verify by running ssh -V on your server.

Step-by-Step Guide to Configure SSH Key Authentication

Another fascinating historical case is: Setup OpenVPN Server on Debian

Step 1: Generate SSH Key Pair on Your Local Machine

Start by generating an SSH key pair on your local machine. Open your terminal and run the following command:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

This command creates a 4096-bit RSA key pair. The -C flag adds a comment (typically your email) to help identify the key. When prompted for a file location, press Enter to accept the default location (~/.ssh/id_rsa). You can optionally set a passphrase for additional security, though this adds an extra step when connecting.

Step 2: Copy Public Key to Your Linux Server

The easiest way to copy your public key to the server is using the ssh-copy-id command:

ssh-copy-id username@your-server-ip

Replace username with your actual username and your-server-ip with your server’s IP address or hostname. This command will prompt for your current password and automatically add your public key to the ~/.ssh/authorized_keys file on the server.

If ssh-copy-id isn’t available, manually copy the key by first displaying your public key:

cat ~/.ssh/id_rsa.pub

Copy the entire output, then SSH into your server and create the necessary directory and file:

mkdir -p ~/.ssh
echo "your-public-key-content" >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Step 3: Test SSH Key Authentication

Before disabling password authentication, verify that key-based authentication works correctly. Open a new terminal session and attempt to connect:

ssh username@your-server-ip

You should connect without being prompted for a password (unless you set a passphrase for your private key). If the connection fails, double-check that your public key was properly added to the authorized_keys file and that the file permissions are correct.

Step 4: Configure SSH Server Settings

Now that key authentication is working, you need to modify the SSH server configuration. Connect to your server and edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Locate and modify these settings. If a line is commented out (starts with #), uncomment it by removing the hash symbol:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

The PasswordAuthentication no directive is crucial as it disables password-based logins entirely. The UsePAM no setting prevents PAM (Pluggable Authentication Modules) from potentially allowing password authentication through other means.

Step 5: Restart SSH Service and Test Configuration

After saving the configuration file, restart the SSH service to apply changes:

sudo systemctl restart ssh

On some distributions, the service might be named sshd:

sudo systemctl restart sshd

Before closing your current SSH session, open a new terminal and test the connection again. This ensures you can still access your server after the changes. If you can connect successfully using your SSH key, the configuration is working correctly.

Troubleshooting Common SSH Key Authentication Issues

When implementing how to configure SSH key authentication and disable password login on Linux servers, you might encounter several common issues. Understanding these problems and their solutions will help you maintain secure server access.

Permission Issues

The most frequent problem involves incorrect file permissions. SSH is very strict about permissions for security reasons. The .ssh directory must have 700 permissions, and the authorized_keys file must have 600 permissions. Fix these with:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Additionally, ensure your home directory isn’t writable by other users. SSH will refuse to use keys if it detects security vulnerabilities in the directory structure.

SELinux Context Problems

On systems with SELinux enabled (like CentOS or RHEL), incorrect security contexts can prevent SSH key authentication. Restore the proper contexts using:

restorecon -R ~/.ssh

You can check if SELinux is causing issues by temporarily setting it to permissive mode and testing your connection.

Multiple Key Management

If you have multiple SSH keys, you might need to specify which key to use. Create or edit ~/.ssh/config on your local machine:

Host your-server
    HostName your-server-ip
    User username
    IdentityFile ~/.ssh/specific-key

This configuration tells SSH which key to use for specific hosts, preventing authentication failures when you have multiple keys loaded.

Locked Out Recovery

If you accidentally lock yourself out by disabling password authentication before properly setting up key authentication, you’ll need alternative access. Most cloud providers offer console access through their web interface. Physical servers might require direct console access or recovery mode.

For detailed SSH troubleshooting, refer to the official OpenSSH documentation which provides comprehensive guidance on configuration options and security best practices.

Advanced Security Configuration and Best Practices

Beyond the basic setup of SSH key authentication, several additional security measures can further protect your Linux servers. These configurations complement your key-based authentication setup and provide defense in depth.

Consider changing the default SSH port from 22 to a non-standard port. While this doesn’t provide real security against determined attackers, it reduces automated scanning attempts. Add Port 2222 to your sshd_config file and restart the SSH service. Remember to update your firewall rules accordingly.

Implement connection rate limiting to prevent brute-force attacks. Add these directives to your SSH configuration:

MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2

These settings limit authentication attempts, restrict concurrent sessions, and automatically disconnect idle connections after 10 minutes of inactivity.

For servers with multiple users, consider restricting SSH access to specific users or groups. Use the AllowUsers or AllowGroups directive:

AllowUsers admin deploy
AllowGroups ssh-users

This approach ensures only authorized users can attempt SSH connections, even if they somehow obtain valid credentials.

Enable SSH logging for security monitoring. Most systems log SSH activities to /var/log/auth.log or /var/log/secure. Regular monitoring of these logs helps identify unauthorized access attempts and security incidents.

Consider implementing two-factor authentication for additional security. Tools like Google Authenticator can be integrated with SSH to require both a key and a time-based token. The Ubuntu Server documentation provides detailed guidance on advanced SSH configurations.

For production environments, implement SSH certificate authorities instead of individual key management. This approach scales better for large infrastructures and provides centralized key management capabilities.

Regular key rotation is essential for maintaining security. Establish a schedule for generating new key pairs and removing old ones from your servers. This practice limits the impact of potentially compromised keys and maintains good security hygiene.

Successfully implementing how to configure SSH key authentication and disable password login on Linux servers significantly enhances your infrastructure security. This configuration eliminates password-based attacks while providing convenient, automated access for legitimate users. The cryptographic authentication method is virtually impossible to brute-force and scales well across multiple servers and users.

Remember to maintain backup access methods and regularly audit your SSH configurations. Key-based authentication is just one component of a comprehensive security