Disable SSH Password Authentication on Ubuntu

This guide provides a straightforward, step-by-step walkthrough on how to completely disable password-based SSH authentication on an Ubuntu Linux server. By forcing the system to only accept secure SSH keys, you significantly harden your server against brute-force attacks and unauthorized access.

Prerequisite: Set Up SSH Key Authentication First

Before disabling password authentication, you must ensure that you have already configured SSH key-based access for your user account and successfully logged in using your private key. If you disable passwords without setting up SSH keys first, you will lock yourself out of your server.

Step 1: Open the SSH Configuration File

To disable password authentication, you need to edit the main SSH daemon configuration file using a text editor with administrative privileges. Run the following command in your terminal:

sudo nano /etc/ssh/sshd_config

(Note: On newer Ubuntu versions, custom configurations might also be stored in /etc/ssh/sshd_config.d/. However, editing the main sshd_config file remains the standard approach).

Step 2: Modify the Configuration Directives

Scroll through the file and locate the following lines. If they are commented out with a # symbol, remove the # to uncomment them. Update their values as follows:

  1. Disable password authentication: Find the PasswordAuthentication line and change its value to no:

    PasswordAuthentication no

  2. Disable keyboard-interactive authentication: To ensure multi-factor or alternative password prompts are also disabled, find KbdInteractiveAuthentication (or ChallengeResponseAuthentication on older Ubuntu versions) and set it to no:

    KbdInteractiveAuthentication no

  3. Ensure public key authentication is enabled: Verify that PubkeyAuthentication is set to yes:

    PubkeyAuthentication yes

Save your changes and exit the editor. If you are using nano, press Ctrl + O to save, Enter to confirm, and Ctrl + X to exit.

Step 3: Test the Configuration for Syntax Errors

Before restarting the SSH service, verify that your configuration changes do not contain any syntax errors. Run:

sudo sshd -t

If the command returns no output, your configuration is valid.

Step 4: Restart the SSH Service

Apply the changes by restarting the SSH daemon:

sudo systemctl restart ssh

Step 5: Verify the Changes

Do not close your current terminal session. Open a new, separate terminal window on your local machine and attempt to log in to your server to verify that your SSH key authentication still works.

To test if password authentication is successfully disabled, you can attempt to log in by forcing SSH to ignore your keys:

ssh -o PubkeyAuthentication=no username@your_server_ip

If configured correctly, the server should reject the connection attempt immediately with a “Permission denied (publickey)” error, confirming that password logins are completely disabled.