Skip to content
Documentation

3. Disable Password Login

3.1. Generate an SSH key Pair

Section titled “3.1. Generate an SSH key Pair”

To securely access a remote server, an SSH key pair is used as an authentication mechanism. This involves two keys:

  1. A private key, which you keep secure on your local machine.
  2. A public key, which is shared with the server.

It eliminates the need for passwords on login and greatly improves security.

You can follow the instructions in either 3.1.1 or 3.1.2, depending on your needs:

  • Use 3.1.1 to generate and store the key in the default location.
  • Use 3.1.2 to generate and organize the key in a custom subfolder for better management.

3.1.1 Generate an SSH Key Pair

Section titled “3.1.1 Generate an SSH Key Pair”

This section guides you through generating a standard SSH key pair that can be used to authenticate with remote servers.

Run the following command on your local machine to generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
  • -t rsa: Specifies the RSA algorithm for the key.
  • -b 4096: Sets the key size to 4096 bits (use 2048 if you prefer a smaller key).
  • -C "your_email@example.com": Adds a comment to the key, typically your email, for easier identification.

When prompted:

  • Enter a file name (or press Enter to use the default location, e.g., ~/.ssh/id_rsa).
  • (Optional) Provide a passphrase for the private key for extra security.

This creates:

  • A private key (e.g., ~/.ssh/id_rsa).
  • A public key (e.g., ~/.ssh/id_rsa.pub).

3.1.2 Generate an SSH key Pair in a custom subfolder

Section titled “3.1.2 Generate an SSH key Pair in a custom subfolder”

This approach is helpful if you need to manage multiple SSH keys for different servers or projects. It allows you to store SSH keys in custom subfolders, providing a structured way to organize and manage your keys across environments.

You can generate an SSH key in a subfolder within .ssh/ to keep things organized and easily manage multiple keys for different projects or servers.

To generate an SSH key in a custom subfolder inside the .ssh/ directory, follow these steps:

.ssh/:

  1. Create the Subfolder (if it doesn’t already exist):
   mkdir -p ~/.ssh/my_custom_folder

Replace my_custom_folder with the desired folder name.

  1. Generate the Key in the Custom Subfolder: Run the ssh-keygen command and specify the full path for the key file:
   ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ~/.ssh/my_custom_folder/id_rsa

Ensure Correct Permissions Make sure your .ssh/ folder, the subfolder within it, and the associated key files have the correct permissions:

chmod 700 ~/.ssh/
chmod 700 ~/.ssh/my_custom_folder/
chmod 600 ~/.ssh/my_custom_folder/id_rsa
chmod 644 ~/.ssh/my_custom_folder/id_rsa.pub

3.2. Copy the Public Key to the Server

Section titled “3.2. Copy the Public Key to the Server”

Use the following command to copy your public key to the server:

ssh-copy-id -i .ssh/id_rsa.pub username@server_ip
  • Replace username with your server username.
  • Replace server_ip with the IP address or domain of the server.

It will prompt you for your server password. Once authenticated, the public key will be added to the server under ~/.ssh/authorized_keys for that user.

ssh -i ~/my_custom_folder/id_rsa username@server_ip

3.3 Test the Login Using

Section titled “3.3 Test the Login Using”

When connecting to the server with the custom key, you may need to explicitly specify the private key’s path if it’s not automatically detected.

ssh -i ~/.ssh/id_rsa username@server_ip

3.4. Simplify SSH Login with Configuration Settings

Section titled “3.4. Simplify SSH Login with Configuration Settings”

To make your SSH login process easier, you can configure the SSH client to remember and automatically use your custom SSH key(s) for specific servers by modifying the ~/.ssh/config file. Here’s how you can do it:

3.4.1 Steps to Add SSH Configuration

Section titled “3.4.1 Steps to Add SSH Configuration”
  1. Edit/Create the SSH Config File: Open or create the ~/.ssh/config file using your favorite text editor (like vim or vim).
   vim ~/.ssh/config
  1. Add an SSH Host Entry: Add the following configuration to the file:
Host server-alias
   HostName server_ip
   User username
   IdentityFile ~/.ssh/id_rsa
   ServerAliveInterval 60
   ServerAliveCountMax 240

Replace:

  • server-alias with a name you prefer to use as an alias for this server (e.g., myserver).
  • server_ip with the IP address or domain of the server.
  • username with your username on the server.
  • ~/.ssh/id_rsa with the path to your private key (adjust this if you generated a key in a custom subfolder, e.g., ~/.ssh/my_custom_folder/id_rsa).
  • ServerAliveInterval 60: Sends a keep-alive packet to the server every 60 seconds.
  • ServerAliveCountMax 240: Allows the connection to stay alive for 4 hours (240 × 60).
  1. Save and Exit: Save the file and exit your editor.
  2. Set Correct Permissions: Ensure the ~/.ssh/config file has the correct permissions: 
       chmod 600 ~/.ssh/config
  3. Test the SSH Login: Now, you can connect to the server simply using the configured alias:
   ssh server-alias

This will automatically use the specified key and username for the connection.

3.4.2 Example for Custom Key and Folder

Section titled “3.4.2 Example for Custom Key and Folder”

If you generated the key in a custom subfolder (e.g., ~/.ssh/my_custom_folder), the configuration may look like this:

Host server-alias
    HostName server_ip
    User username
    IdentityFile ~/.ssh/my_custom_folder/id_rsa
    ServerAliveInterval 60
    ServerAliveCountMax 240

Now, run ssh server-alias to quickly log in without explicitly specifying the username or key path.

3.5 Disable password authentication on the server

Section titled “3.5 Disable password authentication on the server”

To set “PasswordAuthentication” to “no” on the server, you need to modify the SSH server configuration file (sshd_config). This ensures that only key-based authentication is allowed, further enhancing server security. Here’s how you can do it:

3.5.1. Disable Password Authentication on the Server

Section titled “3.5.1. Disable Password Authentication on the Server”
  1. Access the Server:
    Log into your server using SSH:
ssh username@server_ip
  1. Edit the SSH Configuration File:
    Open the sshd_config file using a text editor (e.g., vim, vim):
sudo vim  sudo vim /etc/ssh/sshd_config.d/50-cloud-init.conf
  1. Find and Update the PasswordAuthentication Setting:
    Search for the PasswordAuthentication line in the file. If it doesn’t exist, add it. Set its value to no:
PasswordAuthentication no
  1. (Optional) Also, ensure that PubkeyAuthentication is set to yes to allow key-based authentication:
PubkeyAuthentication yes

Public key authentication (SSH key authentication) is enabled by default. This means you don’t need to explicitly add or modify the line PubkeyAuthentication yes unless your configuration has been changed or you want to explicitly ensure that it’s set.

  1. Save and Exit:

  2. Restart the SSH Service:
    Restart the SSH server to apply the changes:

sudo systemctl restart ssh
  1. Test the Configuration:
    Ensure that you can log in to the server using your key before closing your current SSH session:
ssh -i ~/.ssh/id_rsa username@server_ip

3.5.2. Verify Password Login is Disabled

Section titled “3.5.2. Verify Password Login is Disabled”

To confirm the changes, try connecting to the server without providing a key. The connection should be denied:

ssh username@server_ip
username@server_ip: Permission denied (publickey).

If everything works as expected, your server is now secure, and password authentication is disabled.