SSH disable password login for root (only allow public key authentication)
Secure Shell (SSH) is a system that allows remote login to servers securely between client and server is encrypted as well as the username and password used to log in.
In order for the root user to be able to log in, make sure it's listed in AllowedUsers in ssh server configuration file /etc/ssh/sshd_config.
Second, change PermitRootLogin from yes/no to without-password.
PermitRootLogin without-password
The argument YES will allow the root user to login with a password. If this option is set to NO, it is disabled. If this option is set to without-password, password authentication is disabled for root but still can log in using the key.
If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
Another option is to disable password authentication for ssh globally, for all users.
PasswordAuthentication no
How to Create SSH Keys
The first step to configure SSH key authentication to your server is to generate an SSH key pair on your local server. We can use a special utility called ssh-keygen, which is included with the standard OpenSSH suite of tools. On your local computer, generate a SSH key by typing: ssh-keygen
The utility will prompt you to select a location for the keys that will be generated. By default, the keys will be stored in the directory~/.ssh within your user's home directory. The private key will be called id_rsaand the associated public key will be called id_rsa.pub
How To Copy a Public Key to your Server
The easiest way to copy your public key to an existing server is to use a utility calledssh-copy-id Because of its simplicity, this method is recommended if available.
The toolssh-copy-id is included in the OpenSSH packages in many distributions, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.
To use the utility, you simply need to specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account where your public SSH key will be copied.
The syntax is:
ssh-copy-id username@remote_host
Next, the utility will scan your local account for the id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user's account.
You will see output that looks like this:
Number of key(s) added: 1 Now try logging into the machine, with: ssh username@111.111.11.111 and check to make sure that only the key(s) you wanted were added.
If this doesn't work, you can copy your public key using SSH also as following:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
If you were able to login to your account using SSH without a password, you have successfully configured SSH key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.
Open /etc/ssh/sshd_config and uncomment the following line and set the value to "no" and restart SSH service.
PasswordAuthentication no
Now you can ssh in your server using ssh username@server-name with key based authentication.
