Skip to content

Require key-only SSH authentication

Severity: criticalApplies to: OpenSSH 8.x+Applies to: Debian / UbuntuApplies to: RHEL / Rocky / Alma
The fix/etc/ssh/sshd_config
Terminal window
PasswordAuthentication no
KbdInteractiveAuthentication no

Then reload the daemon:

Terminal window
sudo systemctl reload ssh # Debian, Ubuntu
sudo systemctl reload sshd # RHEL, Rocky, Alma, Fedora

A password is a secret short enough for a human to remember, which is also short enough to guess at scale. SSH keys are not guessable in any practical sense, and they remove the entire category of brute-force and credential-stuffing attacks that make up most of the noise against a public host.

PasswordAuthentication no on its own is frequently not enough, and this is the single most common way a host that looks locked down still accepts passwords.

OpenSSH has a second path to password authentication: keyboard-interactive, which delegates to PAM. If KbdInteractiveAuthentication is left on while PAM is configured for passwords, the daemon will still prompt for and accept a password — even though PasswordAuthentication is no. Setting both is what actually closes the door.

On older configs the same directive appears under its former name, ChallengeResponseAuthentication. If you see that in your config, it is the same setting; set it to no as well.