There is ongoing debate on the pros and cons of using passwords versus keys as ssh authentication methods. A main advantage of key authentication is that you can be protected against brute-force password guessing attacks. However, requiring a private key for ssh access means that you have to store the key somewhere on client system, which can be another avenue of attack.
Still, one can argue that the ramification of a cracked password is more significant than a compromised private key, because any single password tends to be used for multiple hosts and services, while the validity of a given private key is generally limited to a specific ssh server.
If you are using openssh, you can flexibly enable or disable password authentication and key authentication. Here is how to disable ssh password authentication so that you can force ssh login via public key only.
Open sshd configuration file, and add the following line (or uncomment it if it's commented out).
Make sure that you have the following in /etc/ssh/sshd_config, in order to allow private/public key authentication.
RSAAuthentication yes PubkeyAuthentication yes
Finally, reload ssh server configuration to make the change effective.
The above setting will disable ssh login via password, system-wide. If what you want is to disable ssh password login for individual users, you can do the following.
If you want to disable ssh password authentication for specific users only, use "Match User" field as follows.
Match User alice,bob,john PasswordAuthentication no
If you want to disable ssh password login for specific Linux group(s), use "Match Group" field. For example, to disable ssh password login for all users belonging to "sudoers" group:
Match Group sudoers PasswordAuthentication no
If you want to force ssh key authentication for non-root normal users, use "Match User" field.
Match User !root PasswordAuthentication no
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.