Require key-only SSH authentication
/etc/ssh/sshd_configPasswordAuthentication noKbdInteractiveAuthentication noThen reload the daemon:
sudo systemctl reload ssh # Debian, Ubuntusudo systemctl reload sshd # RHEL, Rocky, Alma, FedoraWhy it matters
Section titled “Why it matters”A password is a secret short enough for a human to remember, which is also short enough to guess at scale. SSH keys are not guessable in any practical sense, and they remove the entire category of brute-force and credential-stuffing attacks that make up most of the noise against a public host.
The gotcha: two directives, not one
Section titled “The gotcha: two directives, not one”PasswordAuthentication no on its own is frequently not enough, and this is the
single most common way a host that looks locked down still accepts passwords.
OpenSSH has a second path to password authentication: keyboard-interactive,
which delegates to PAM. If KbdInteractiveAuthentication is left on while PAM
is configured for passwords, the daemon will still prompt for and accept a
password — even though PasswordAuthentication is no. Setting both is what
actually closes the door.
On older configs the same directive appears under its former name,
ChallengeResponseAuthentication. If you see that in your config, it is the
same setting; set it to no as well.
Related
Section titled “Related”- Disable root login over SSH — apply this next.