Articles on: Public Articles

Advanced Security Measure: How to Disable Password Authentication for SSH

Once you have successfully configured your SSH Keys, disabling password authentication is the best practice to ensure no one can access your server except through an authorized Private SSH Key.

 

Critical Security Warning
Before proceeding, you MUST confirm that you can successfully log into the server at least once using your newly configured Private SSH Key.If you disable password authentication and key authentication fails (for any reason), your server will become inaccessible via SSH, and you will need Console access (VNC/KVM) or provider support to restore your settings.

1.  Accessing the Configuration File

You need to modify the SSH Daemon configuration file, typically located at /etc/ssh/sshd_config.

Log in to your server and open the file using a text editor like nano or vim:

 

nano /etc/ssh/sshd_config

2.  Modifying the Settings

Inside the file, look for the following lines (they may be commented out with a #). You must uncomment them (remove the #) and set the values to no:

Setting

Required Value

Description

ChallengeResponseAuthentication

no

Disables challenge-response authentication methods (e.g., RADIUS).

PasswordAuthentication

no

The most critical step: Disables traditional password-based login.

UsePAM

no

Disables the use of Pluggable Authentication Modules (PAM) for authentication, tightening security control.

Note: If these lines are not found, you can add them at the end of the file (though modifying existing lines is generally preferred).

3.  Save and Restart the Service

After setting all the required values to no:

  1. Saving in Nano: Press CTRL+X, then Y (to save), then Enter.
  2. Restarting the SSH Service: You must restart the SSH daemon to apply the new settings. The restart command depends on your operating system:
    • Init/SysV Systems (e.g., older CentOS/Debian):
    • ```

/etc/init.d/sshd restart


    * **systemd Systems (e.g., Ubuntu 16+/CentOS 7+):**

systemctl restart sshd


|| 4.  Final Verification
Once the service restarts, **open a NEW terminal window (do NOT close the current one)**, and try to log in using **only the password** (without your key). Your attempt should be immediately rejected.
If the password fails, and you can still log in successfully using your Private SSH Key, your settings are correct, and the server is fully secured

Updated on: 05/12/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!