Configuring and securing password authentication in SSH involves adjusting the settings in the SSH server configuration file (sshd_config). Here's a step-by-step guide to help you configure and enhance the security of password authentication:
1. Open SSH Server Configuration File:
Open the SSH server configuration file with a text editor. Typically, the configuration file is located at /etc/ssh/sshd_config. Use sudo to edit the file with elevated privileges:
sudo nano /etc/ssh/sshd_config
2. Locate Password Authentication Settings:
Find the line that begins with PasswordAuthentication. By default, it's usually set to yes.
PasswordAuthentication yes
3. Modify Password Authentication Settings:
To disable password authentication and only allow key-based authentication, set PasswordAuthentication to no:
PasswordAuthentication no
This configuration promotes a more secure method of authentication, especially if key-based authentication is set up.
If you want to keep password authentication enabled but enforce stronger password policies, consider using the following options:
PasswordAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
- PermitRootLogin no disables direct root login.
- PermitEmptyPasswords no prevents users from having empty passwords.
4. Specify Allowed Users (Optional):
If you want to restrict SSH access to specific users, you can use the AllowUsers directive. Replace username1 username2 with the list of allowed usernames:
AllowUsers username1 username2
5. Save changes and exit:
Save the changes to the configuration file and exit the text editor.
6. Restart the SSH service:
To apply the changes, restart the SSH service:
sudo systemctl restart ssh
7. Configure Fail2Ban (Optional):
Consider installing and configuring Fail2Ban to protect against brute-force attacks. Fail2Ban can automatically block IP addresses that repeatedly fail authentication.
sudo apt install fail2ban
Follow the instructions in the Fail2Ban configuration files to set up rules for SSH.
8. Test the configuration:
Before closing the terminal, ensure that you can still access the server using your preferred method (e.g., key-based authentication). Make sure you have tested the changes and can log in before closing the active session.
Notes:
- Always keep a backup of the original configuration file before making changes.
- Disabling password authentication and relying solely on key-based authentication is generally more secure.
- If using key-based authentication, ensure that you have set up key pairs and tested them before disabling password authentication.
- Regularly monitor and review authentication logs for any suspicious activity.
- Make sure you have alternative methods of accessing the server in case you lock yourself out (e.g., console access or another user account with administrative privileges).
By following these steps, you can configure and secure password authentication in SSH according to your security requirements.