How to force SSH login via public key authentication

Last updated on November 26, 2020 by Dan Nanni

There is ongoing debate on the pros and cons of using passwords versus keys as SSH authentication methods. A main advantage of key authentication is that you can be protected against brute-force password guessing attacks. However, requiring a private key for SSH access means that you have to store the key somewhere on client system, which can be another avenue of attack.

Still, one can argue that the ramification of a cracked password is more significant than a compromised private key, because any single password tends to be used for multiple hosts and services, while the validity of a given private key is generally limited to a specific SSH server.

If you are using openssh, you can flexibly enable or disable password authentication and key authentication. Here is how to disable SSH password authentication so that you can force SSH login via public key only.

NOTE: This guide is about the SSH server-side configuration for preventing password authentication and forcing key authentication. I assume that you already set up key authentication on the client-side, so you can log in to SSH via key authentication (without using password). Before proceeding with the rest of this tutorial, make sure to verify this key authentication works. Otherwise, you may lose SSH access while testing this tutorial. So be careful!

Force SSH Key Authentication for All Users Systemwide

Open sshd configuration file, and add the following line (or uncomment it if it's commented out).

$ sudo vi /etc/ssh/sshd_config
PasswordAuthentication no

Make sure that you have the following in /etc/ssh/sshd_config, in order to allow private/public key authentication.

RSAAuthentication yes
PubkeyAuthentication yes

Finally, reload SSH server configuration to make the change effective.

$ sudo /etc/init.d/ssh reload

Force SSH Key Authentication for a Specific User

The above setting will disable SSH login via password, system-wide. If what you want is to disable SSH password login for individual users, you can do the following.

If you want to disable SSH password authentication for specific users only, add the following Match User block at the end of sshd config file.

Match User alice,bob,john
PasswordAuthentication no

If you want to disable SSH password login for specific Linux group(s), put Match Group block at the end of sshd config file. For example, to disable SSH password login for all users belonging to sudoers group:

Match Group sudoers
PasswordAuthentication no

If you want to force SSH key authentication for non-root normal users, place the following Match User block at the end of sshd config file.

Match User !root
PasswordAuthentication no

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean