Cherry Servers

How to Enable or Disable SSH Password Authentication on Linux Servers

Copy page clone View as Markdown file-content Open in ChatGPT Open in Claude Open in Perplexity

Secure Shell (SSH) is the primary tool for remote access and management of Linux servers, supporting multiple authentication methods, such as password-based and public key-based login. By default, most Linux distributions allow password authentication, enabling users to log in using a username and password pair.

While password authentication is convenient and often necessary for initial setup, it presents a high security risk. This is because passwords can be guessed, cracked, or intercepted, especially if not combined with other hardening measures.

#Why Enable or Disable Password Authentication?

Disabling password authentication is a best practice for production systems, especially when SSH keys are already set up and in use. However, enabling password authentication might be necessary in some cases, such as during initial server setup, when configuring new users, or when public SSH keys are not feasible. Typically, public key authentication is significantly more secure and resistant to brute-force attacks, making it the preferred choice for production systems. This process works on most modern Linux distributions, and requires root or sudo access privileges to set up.

Importantly, if password authentication is disabled but no public keys have been installed or validated, you may lose remote access to the server.

This guide provides a detailed explanation of how to enable or disable SSH password authentication, by modifying the SSH server configuration, as well as how to verify settings, and test access to prevent lockout.

#Instructions to Enable/Disable SSH Password Authentication on Linux Servers

#Step 1: Check the current SSH Password Authentication settings

Before making any changes, it is crucial to check whether SSH password authentication is currently enabled or disabled on your system. This setting is controlled in the SSH daemon configuration file located at /etc/ssh/sshd_config, or optionally in files within the /etc/ssh/sshd_config.d/ directory.

  1. Open the SSH configuration file.

    Use a text editor such as nano to open the SSH configuration.

    Command Line
    sudo nano /etc/ssh/sshd_config

    Alternatively, run this command to view the effective password authentication setting, including any overrides in included configuration files:

    Command Line
    sudo grep -i PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null

    Outputroot@expert-lab:~# sudo grep -i PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration,
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
/etc/ssh/sshd_config:#PasswordAuthentication yes

  2. Review the Setting.

    Look for a line that reads:

    PasswordAuthentication yes

    or

    PasswordAuthentication no

    GNU nano 7.2 /etc/ssh/sshd_config

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

override default of no subsystems

Subsystem sftp /usr/lib/openssh/sftp-server

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server

PasswordAuthentication yes
PermitRootLogin yes

^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify ^/ Go To Line

    There are some variables that may make it difficult to interpret whether it is currently enabled or disabled, such as:

    • If the line is commented out (prefixed with #), the default value yes is likely in effect, allowing password authentication.
    • If the line is explicitly set to no, password authentication is disabled.
    • If it's set to yes, password login is enabled.
    • Snippets in /etc/ssh/sshd_config.d/ may override the main file.

#Step 2: Modify the SSH Password Authentication Setting

Now that you have verified the current configuration, you can proceed to enable or disable SSH password authentication based on your requirements.

  1. Locate the existing directive

    In the file you opened during Step 1 (/etc/ssh/sshd_config or a .conf file inside /etc/ssh/sshd_config.d/), find the line:

    PasswordAuthentication yes

    or

    PasswordAuthentication no

  2. Modify the value

    To disable password login and require SSH keys only (recommended):

    PasswordAuthentication no

    To enable password login (e.g., during initial setup or recovery):

    PasswordAuthentication yes

  3. Make sure only one active (uncommented) PasswordAuthentication directive is present across all config files.

  4. Save and exit.

    If you are editing with nano, press Ctrl+O, Enter, and Ctrl+X to save and close.

  5. If you modified a file inside /etc/ssh/sshd_config.d/, ensure that it is not being overridden by the main config file, or vice versa.

#Step 3 Restart the SSH Service to Apply Changes

Once you have updated the SSH configuration to enable or disable password authentication, you need to restart the SSH daemon for the changes to take effect.

  1. Restart the SSH service.

    Run the following command to reload the SSH daemon and apply your changes:

    Command Line
    sudo systemctl restart ssh

    This command is valid on most Linux systems and will reload the configuration immediately.

    • If your system uses ssh.socket (such as Ubuntu 24.04), you should run the following instead to ensure that the new configuration is picked up by the socket-based service, not just by sshd:
    Command Line
    sudo systemctl daemon-reexec
sudo systemctl restart ssh.socket

  2. Validate SSH configuration (optional but recommended).

    Before restarting, you can check for syntax errors using:

    Command Line
    sudo sshd -t

    If no output is returned, the configuration is valid.

  3. Test the new authentication method in a second terminal.

    Keep your current SSH session open. In a second terminal, test login using:

    Command Line
    ssh user@your_server_ip
    • If password authentication is enabled, you will be prompted for a password.
    • If password authentication is disabled and you have no SSH key set up, you will see an error like "Permission denied (publickey)".
    Outputroot@CherryServers:~# ssh root@93.115.25.160
root@93.115.25.160: Permission denied (publickey).

If you are locked out due to configuration errors or lack of key access, use the Console in the Cherry Servers Client Portal to log in and revert the changes. For further explanation of how to use Cherry Servers console, please see our dedicated how to access and manage the console guide.

Was this article helpful?
Thanks for the feedback!
No results found for ""
Recent Searches
Navigate
Go
ESC
Exit
We use cookies to ensure seamless user experience for our website. Required cookies - technical, functional and analytical - are set automatically. Please accept the use of targeted cookies to ensure the best marketing experience for your user journey. You may revoke your consent at any time through our Cookie Policy.
build: 920a9a1ae.1622