Comprehensive Guide to Disabling SSH Password Authentication: From Troubleshooting to Best Practices

Nov 26, 2025 · Programming · 12 views · 7.8

Keywords: SSH configuration | password authentication disable | sshd_config | security hardening | troubleshooting

Abstract: This article provides an in-depth analysis of common issues encountered when disabling SSH password authentication, explaining the mechanism of key configuration parameters in sshd_config based on real-world cases. By comparing user configurations with actually effective settings, it reveals the impact of Include directives on configuration overrides and offers complete solutions with verification steps. The discussion also covers best practices for related security parameters to help readers master SSH security hardening techniques comprehensively.

Problem Background and Phenomenon Analysis

Disabling password authentication is a common security hardening measure in SSH server configuration. However, users often encounter situations where configurations appear correct but password prompts still occur. From the provided debug information, it's evident that although the user configured PasswordAuthentication no, the SSH client still displays Authentications that can continue: publickey,password and eventually proceeds to password authentication.

Core Configuration Parameter Analysis

The authentication behavior of SSH servers is determined by multiple parameters in the /etc/ssh/sshd_config file. Key parameters include:

The PasswordAuthentication parameter controls whether password-based authentication is allowed. The default value is yes, and when set to no, it should theoretically disable password authentication. However, in practical deployments, this setting might be overridden by other configurations.

The ChallengeResponseAuthentication parameter manages challenge-response authentication mechanisms, typically related to PAM modules. Setting it to no can disable such authentication methods.

The UsePAM parameter enables the Pluggable Authentication Module interface. When set to yes, PAM might bypass certain authentication restrictions, so it's recommended to set it to no when disabling password authentication.

Configuration Override Problem Diagnosis

Analyzing the user's provided configuration file reveals a critical issue: in standard Ubuntu systems, the /etc/ssh/sshd_config file typically contains an Include /etc/ssh/sshd_config.d/*.conf directive. This directive loads all configuration files in the /etc/ssh/sshd_config.d/ directory, which may contain settings that re-enable password authentication.

Specifically, the /etc/ssh/sshd_config.d/50-cloud-init.conf file defaults to containing PasswordAuthentication yes setting, which overrides the corresponding setting in the main configuration file. This is the fundamental reason why password authentication remains available even when the user correctly configures the main file.

Complete Solution

To completely disable SSH password authentication, follow these steps:

First, edit the main configuration file: sudo nano /etc/ssh/sshd_config

Ensure the following key parameters are correctly set:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no

Second, address the configuration override issue. There are two methods:

Method 1: Remove or modify the override file

sudo rm /etc/ssh/sshd_config.d/50-cloud-init.conf

Method 2: Comment out the Include directive

sudo sed -i 's/^Include/#Include/' /etc/ssh/sshd_config

Finally, restart the SSH service to apply the configuration:

sudo service ssh restart

Or use systemctl:

sudo systemctl restart ssh

Verification and Testing

After configuration, verification testing is necessary:

First confirm that key authentication works properly using ssh -v user@hostname for detailed debugging. The output should only show publickey authentication method, with no password appearing.

Attempting to log in with a password should be immediately rejected, displaying Permission denied (publickey) error message.

Security Best Practices

Beyond disabling password authentication, consider these additional security hardening measures:

Set PermitRootLogin no to prohibit direct root login, forcing users to log in as regular users and then escalate privileges.

Configure AllowUsers or AllowGroups to restrict which users or groups can log in.

Change the default SSH port to reduce the risk of automated attacks.

Enable failed login attempt limits to prevent brute force attacks.

Troubleshooting Guide

If problems persist after configuration, troubleshoot using these steps:

Check all relevant configuration files to ensure no other files re-enable password authentication.

Use the sshd -T command to verify currently effective configuration parameters.

Examine system logs /var/log/auth.log for detailed authentication process information.

Confirm that the SSH service has actually been restarted and configuration changes have been loaded.

Through systematic configuration and verification, you can ensure the SSH server only allows public key authentication, significantly enhancing system security.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.