How to force ssh login via public key authentication

There is ongoing debate on the pros and cons of using passwords versus keys as ssh authentication methods. A main advantage of key authentication is that you can be protected against brute-force password guessing attacks. However, requiring a private key for ssh access means that you have to store the key somewhere on client system, which can be another avenue of attack.

Still, one can argue that the ramification of a cracked password is more significant than a compromised private key, because any single password tends to be used for multiple hosts and services, while the validity of a given private key is generally limited to a specific ssh server.

If you are using openssh, you can flexibly enable or disable password authentication and key authentication. Here is how to disable ssh password authentication so that you can force ssh login via public key only.

NOTE: This guide is about the SSH server side configuration for preventing password authentication and forcing key authentication. I assume that you already set up key authentication on the client side, so you can log in to SSH via key authentication (without using password). Before proceeding with the rest of this tutorial, make sure to verify this key authentication works. Otherwise, you may lose SSH access while testing this tutorial. So be careful!

Open sshd configuration file, and add the following line (or uncomment it if it's commented out).

$ sudo vi /etc/ssh/sshd_config
PasswordAuthentication no

Make sure that you have the following in /etc/ssh/sshd_config, in order to allow private/public key authentication.

RSAAuthentication yes
PubkeyAuthentication yes

Finally, reload ssh server configuration to make the change effective.

$ sudo /etc/init.d/ssh reload

The above setting will disable ssh login via password, system-wide. If what you want is to disable ssh password login for individual users, you can do the following.

If you want to disable ssh password authentication for specific users only, add the following "Match User" block at the end of sshd config file.

Match User alice,bob,john
PasswordAuthentication no

If you want to disable ssh password login for specific Linux group(s), put "Match Group" block at the end of sshd config file. For example, to disable ssh password login for all users belonging to "sudoers" group:

Match Group sudoers
PasswordAuthentication no

If you want to force ssh key authentication for non-root normal users, place the following "Match User" block at the end of sshd config file.

Match User !root
PasswordAuthentication no

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

6 thoughts on “How to force ssh login via public key authentication

  1. Following your instructions nearly cost me an entire afternoon's work! I had just setup svn+ssh using key/pair authentication and the last step was to make sure the 'svn' user that I created could not log in without a public key. I'm running Ubuntu Server 12.04 and, as you suggested, I added the following lines to /etc/ssh/sshd_config right underneath the commented out line: #PasswordAuthentication yes

    Match User svn
    PasswordAuthentication no

    I saved the file, reloaded ssh and thought everything was fine.

    In hind site I should never have logged out of my current session and instead opened a new terminal window to test this out. Instead I logged out and then attempted to ssh using the svn user. As expected I received a connection refused message. Next I tried to log back in with my other user (okuser) but to my horror that connection was refused too! Those are the only two users on the VPS and root logins via ssh are not allowed.

    I had to call the I.T. guy at home on a Friday night and ask him for help. At first he wanted to re-image it from last nights backup but when I told him that I had spent hours setting this up and that everything was done, he decided to try and fix it instead. Thankfully he was able to get it fixed and all is well, except that I'm back to where I was before I tried this and can still ssh into the vps as the svn user using a password.

    Any ideas as to what I should have done differently?

    • Ouch. Sorry to hear that. Perhaps I should have been clearer. In this tutorial, I actually assumed that you can log in to your SSH server with key authentication (not using password), meaning you already put your public key on the ~/.ssh/authorized_key on the remote SSH server before trying this tutorial. I updated the tutorial to add warnings about it. Please check.

      • I did already have it the key's setup. On the server I had created two keys for svnuser1 and svnuser2 and added them to /home/svn/.shh/authorized_keys. I then modified the authorized_key file so that each entry looked like this:
        command="/usr/bin/svnserve -t -r /var/svn/ --tunnel-user=svnuser1",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa AAA...acFHU= svnuser1

        On my local machine I had already installed the private for svnuser1 using:
        scp svn@example.com:/home/svn/keys/svnuser1.key ~/.ssh/id_dsa

        Once that was done I tested svn+ssh and it worked using the key/pair combination:
        svn co svn+ssh://svn@example.com/repo/trunk/ /var/www/test

        The project was checked out without requiring a password.

        It was after that when I found your article and attempted to prevent the svn user from authenticating via ssh without a key. Your instructions explained how to prevent ssh via password for a single user and I followed them. The end result was that it prevented ssh access for every user. I ssh into that server with a user named okuser and I need that to continue happening. It's only the svn user that should be prevented from logging in via ssh without a key.

        So my question really is, should this:
        Match User svn
        PasswordAuthentication no

        be placed at the bottom of the file? Should I uncomment the line above it that says '#PasswordAuthentication yes' to implicitly turn PasswordAuthentication on first? What is missing from the instructions that ultimately caused my server to stop allowing any ssh connections?

        • Yes, place the "Match User" block at the end of config file.
          You can leave "#PasswordAuthentication yes" commented out.

          Also, verify that you have the following somewhere in the config file:
          RSAAuthentication yes
          PubkeyAuthentication yes

          Hope this helps.

          • Thank you for clearing this up and for updating the tutorial to reflect that the settings get added to the bottom of the file. That will save the next person who finds this article a lot of trouble!! I'm super impressed with how quickly you responded and how helpful you've been!! Thanks again.

Leave a comment

Your email address will not be published. Required fields are marked *

Current ye@r *