# How to Enable or Disable SSH Password Authentication on Linux Servers Secure Shell (SSH) is the primary tool for remote access and management of Linux servers, supporting multiple authentication methods, such as password-based and public key-based login. By default, most Linux distributions allow password authentication, enabling users to log in using a username and password pair. While password authentication is convenient and often necessary for initial setup, it presents a high security risk. This is because passwords can be guessed, cracked, or intercepted, especially if not combined with other hardening measures. ## Why Enable or Disable Password Authentication? Disabling password authentication is a best practice for production systems, especially when SSH keys are already set up and in use. However, enabling password authentication might be necessary in some cases, such as during initial server setup, when configuring new users, or when public SSH keys are not feasible. Typically, public key authentication is significantly more secure and resistant to brute-force attacks, making it the preferred choice for production systems. This process works on most modern Linux distributions, and requires root or sudo access privileges to set up. Importantly, if password authentication is disabled but no public keys have been installed or validated, you may lose remote access to the server. This guide provides a detailed explanation of how to enable or disable SSH password authentication, by modifying the SSH server configuration, as well as how to verify settings, and test access to prevent lockout. ## Instructions to Enable/Disable SSH Password Authentication on Linux Servers ### Step 1: Check the current SSH Password Authentication settings Before making any changes, it is crucial to check whether SSH password authentication is currently enabled or disabled on your system. This setting is controlled in the SSH daemon configuration file located at */etc/ssh/sshd_config*, or optionally in files within the */etc/ssh/sshd_config.d/* directory. 1. Open the SSH configuration file. Use a text editor such as nano to open the SSH configuration. ```bash command sudo nano /etc/ssh/sshd_config ``` Alternatively, run this command to view the effective password authentication setting, including any overrides in included configuration files: ```bash command sudo grep -i PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null ``` ```bash output root@expert-lab:~# sudo grep -i PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null /etc/ssh/sshd_config:#PasswordAuthentication yes /etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration, /etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication /etc/ssh/sshd_config:#PasswordAuthentication yes ``` 2. Review the Setting. Look for a line that reads: ```text PasswordAuthentication yes ``` or ```text PasswordAuthentication no ``` ```text GNU nano 7.2 /etc/ssh/sshd_config Allow client to pass locale environment variables AcceptEnv LANG LC_* override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server Example of overriding settings on a per-user basis #Match User anoncvs X11Forwarding no AllowTcpForwarding no PermitTTY no ForceCommand cvs server PasswordAuthentication yes PermitRootLogin yes ^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location ^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify ^/ Go To Line ``` There are some variables that may make it difficult to interpret whether it is currently enabled or disabled, such as: - If the line is commented out (prefixed with #), the default value yes is likely in effect, allowing password authentication. - If the line is explicitly set to no, password authentication is disabled. - If it's set to yes, password login is enabled. - Snippets in */etc/ssh/sshd_config.d/* may override the main file. ### Step 2: Modify the SSH Password Authentication Setting Now that you have verified the current configuration, you can proceed to enable or disable SSH password authentication based on your requirements. 1. Locate the existing directive In the file you opened during Step 1 (*/etc/ssh/sshd_config* or a *.conf* file inside */etc/ssh/sshd_config.d/*), find the line: ```text PasswordAuthentication yes ``` or ```text PasswordAuthentication no ``` 2. Modify the value To disable password login and require SSH keys only (recommended): ``` PasswordAuthentication no ``` To enable password login (e.g., during initial setup or recovery): ``` PasswordAuthentication yes ``` 3. Make sure only one active (uncommented) *PasswordAuthentication* directive is present across all config files. 4. Save and exit. If you are editing with nano, press Ctrl+O, Enter, and Ctrl+X to save and close. 5. If you modified a file inside */etc/ssh/sshd_config.d/*, ensure that it is not being overridden by the main config file, or vice versa. ### Step 3 Restart the SSH Service to Apply Changes Once you have updated the SSH configuration to enable or disable password authentication, you need to restart the SSH daemon for the changes to take effect. 1. Restart the SSH service. Run the following command to reload the SSH daemon and apply your changes: ```bash command sudo systemctl restart ssh ``` This command is valid on most Linux systems and will reload the configuration immediately. - If your system uses ssh.socket (such as Ubuntu 24.04), you should run the following instead to ensure that the new configuration is picked up by the socket-based service, not just by sshd: ```bash command sudo systemctl daemon-reexec sudo systemctl restart ssh.socket ``` 2. Validate SSH configuration (optional but recommended). Before restarting, you can check for syntax errors using: ```bash command sudo sshd -t ``` If no output is returned, the configuration is valid. 3. Test the new authentication method in a second terminal. Keep your current SSH session open. In a second terminal, test login using: ```bash command ssh user@your_server_ip ``` - If password authentication is enabled, you will be prompted for a password. - If password authentication is disabled and you have no SSH key set up, you will see an error like "*Permission denied (publickey)*". ```bash output root@CherryServers:~# ssh root@93.115.25.160 root@93.115.25.160: Permission denied (publickey). ``` If you are locked out due to configuration errors or lack of key access, use the Console in the Cherry Servers Client Portal to log in and revert the changes. For further explanation of how to use Cherry Servers console, please see our dedicated [how to access and manage the console guide](https://www.cherryservers.com/knowledge/docs/getting-started/access-the-server-console).