Disable PasswordAuthentication


The "PasswordAuthentication" SSHD configuration specifies whether password authentication is allowed. The default is yes.

Why you should disable access through password

Password authentication is susceptible to brute-force and man-in-the-middle attacks. While it is possible to have strong passwords, users tend to use weak passwords and not follow password best practices making the server extremely susceptible to hacking. Another con of password authentication is that the SSH client sends usernames and passwords to the server being logged into, making this method vulnerable to more types of attacks. The best practice for authentication is to use only public keys, disabling password authentication.

How to disable PasswordAuthentication

You need to add or change a setting at the SSHD configuration file.

Look for PasswordAuthentication at /etc/ssh/sshd_config:

grep PasswordAuthentication /etc/ssh/sshd_config

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace the current PasswordAuthentication value for no. If the line is commented (contains a leading #), uncomment it removing the leading #.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too:

grep PasswordAuthentication /etc/ssh/sshd_config.d/*.conf
The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you`re using Ubuntu 20.04 or more recent.

If the output isn’t empty, edit the file where the argument is defined, changing its value to no.

If you couldn’t find the argument definition anywhere, edit the file /etc/ssh/sshd_config and include the following line:

PasswordAuthentication no

Finally, restart the SSHD service:

sudo systemctl restart sshd