TechEarl

Harden sshd: Disable Password Authentication

Lock SSH down to keys only: disable password and root login in sshd_config, the settings that actually matter, and how to apply them without locking yourself out.

Ishan Karunaratne⏱️ 3 min readUpdated
Share thisCopied
Disable password and root login in sshd_config to lock SSH down to keys only, and apply it without locking yourself out.

Password authentication is the surface that brute-force bots hammer all day. Once your key is installed and you have confirmed it works, turn passwords off. The whole attack class disappears.

The settings that matter

Edit /etc/ssh/sshd_config (or, better, a drop-in like /etc/ssh/sshd_config.d/99-hardening.conf on modern distros):

code
# Keys only, no passwords
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes

# No direct root login
PermitRootLogin no

KbdInteractiveAuthentication no matters: on some systems a password can still be entered through the keyboard-interactive path even after PasswordAuthentication no, so disable both. PermitRootLogin no forces everyone in through a normal account plus sudo.

Apply it without locking yourself out

This is the part people get wrong. Before you cut over, prove key auth works, and keep a second session open.

bash
# 1. In a SECOND terminal, confirm you can log in with your key right now.
ssh user@server

# 2. Check the config for syntax errors before restarting.
sudo sshd -t

# 3. Reload (does not drop existing sessions).
sudo systemctl reload ssh   # or: sudo systemctl reload sshd

Keep your existing session open until a brand-new connection succeeds. If something is wrong, you still have the open session to fix it. sshd -t catches typos before they take the service down.

Worth adding while you are here

code
# Don't wait forever on a half-open login
LoginGraceTime 20

# Optional: restrict who can log in at all
AllowUsers deploy ishan

Resist the urge to change the port for "security." Moving off 22 cuts log noise but is not a real control; keys-only plus no-root is what actually matters. If you want fewer logs, a tool like fail2ban is more honest than security-through-obscurity.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsSSHsshdSecurityHardeningLinuxNetwork Security

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Regex

How to Validate Password Strength with Regex

Validate password strength with regex. Length checks, character-class requirements, lookahead patterns for mixed-case/digit/special enforcement, examples in JavaScript, Python, and PHP, engine notes, and common mistakes.

Humor

The Day My Password Died

My password showed up in a known breach database at 2 a.m. Here is what happened next, the small casualty I did not see coming, and what to do when yours appears too.

WordPress

A WordPress Hosting Decision Tree for Agencies

Hosting choices for WordPress agency clients are operational decisions, not pricing decisions. The decision tree by traffic tier and workload type: shared, managed WordPress, managed VPS, self-managed VPS. Plus the agency-side implications of each.