SSH is still the most common way to manage Linux servers, which also makes it a constant target for brute-force scans and password guessing. One of the simplest hardening steps you can apply on an Ubuntu Server is switching to SSH key authentication and then disabling password login. This tutorial walks through a safe, modern setup that reduces risk without breaking your access.
Why SSH keys are safer than passwords
A password can be guessed, reused, or leaked. SSH keys use public-key cryptography: your server stores a public key, and your client proves it has the matching private key. Even if an attacker targets your SSH service, they cannot “guess” a private key in any realistic timeframe. With password authentication disabled, random login attempts typically fail immediately.
Prerequisites
You need: (1) an Ubuntu Server you can reach over SSH, (2) a user account with sudo privileges, and (3) a local machine (Windows, macOS, or Linux) to generate and store your SSH key. If you’re configuring a remote production server, keep an existing session open until you confirm the new key-based login works.
Step 1: Create a new SSH key on your computer
On Linux/macOS, open a terminal and run:
ssh-keygen -t ed25519 -a 64 -C "[email protected]"
Press Enter to accept the default file path. When prompted, set a passphrase. This protects your private key if your laptop is stolen.
On Windows, you can use Windows Terminal with the built-in OpenSSH client (Windows 10/11). Run the same command above. The key will typically be stored under C:\Users\YourName\.ssh.
Step 2: Copy the public key to the Ubuntu server
Option A (recommended): ssh-copy-id (Linux/macOS, or Windows with WSL):
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip
This creates (or updates) the remote ~/.ssh/authorized_keys file with correct permissions.
Option B: manual method (works everywhere):
First display your public key locally:
cat ~/.ssh/id_ed25519.pub
Copy the entire output (starts with ssh-ed25519). Then SSH into the server with your current method (likely password), and run:
mkdir -p ~/.ssh && chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
Paste the public key on a new line, save, then lock down permissions:
chmod 600 ~/.ssh/authorized_keys
Step 3: Test key-based SSH login (don’t skip this)
Before changing any server settings, open a new terminal window and test:
ssh username@server_ip
If your key is picked up correctly, you should either log in directly or be prompted for your key’s passphrase (not the server password). If it still asks for the server password, stop here and troubleshoot the key path and permissions.
Step 4: Disable password authentication in SSHD
On the Ubuntu server, edit the SSH daemon configuration:
sudo nano /etc/ssh/sshd_config
Set (or add) these lines. Be careful to avoid duplicates; if the same setting appears multiple times, the last one usually wins.
PasswordAuthentication no
PubkeyAuthentication yes
If you also want to block direct root logins (recommended), set:
PermitRootLogin no
Save the file and validate the configuration syntax:
sudo sshd -t
If there’s no output, the syntax is OK. Now restart SSH safely:
sudo systemctl restart ssh
Step 5: Confirm you can still access the server
Open another fresh SSH connection from your computer and confirm login works. Keep your original session open until you confirm this step. Once verified, password login attempts should fail with messages like “Permission denied (publickey).”
Optional hardening: limit who can SSH in
If only specific users should access the server, add an allow-list in /etc/ssh/sshd_config:
AllowUsers adminuser deployuser
Restart SSH again after changes. This is especially useful on multi-user servers or internet-facing VPS instances.
Troubleshooting tips
If key login fails, the most common causes are incorrect permissions or the wrong username. On the server, permissions should be 700 on ~/.ssh and 600 on authorized_keys. On the client, make sure you’re using the right key (try ssh -i ~/.ssh/id_ed25519 username@server_ip). For deeper insight, run:
ssh -vvv username@server_ip
The verbose output shows which keys are offered and why authentication succeeds or fails.
Wrap-up
By enabling SSH key login and disabling password authentication, you remove the easiest path attackers use to break into servers. This change is fast, reversible, and one of the best “bang for the buck” security improvements you can make on Ubuntu Server. Once it’s in place, consider adding firewall rules (UFW), automatic updates, and intrusion protection like Fail2ban for an even stronger baseline.
Comments
Post a Comment