Ubuntu – Disabling SSH password login for Ubuntu

14.04remoterootSecurityssh

A have a remote server for which I want to disable remote login using a password for root and other users. I have gone through a few articles on the Internet about how to do that and I have the following list of things to do/change:

  1. create private key authentication using SSH keys for all users ( I have already done this )

  2. Set the following settings in sshd_config :

    • set PermitRootLogin without-password

    • set ChallengeResponseAuthentication no

    • set PasswordAuthentication no

    • set UsePAM no

    • set AllowUsers root otheruser

  3. restart ssh using sudo service ssh reload

However, I am not sure exactly which changes are to be made to the sshd_config file and I don't want to be locked out of my remote server.

  1. If I want to be able to login as root and other users using only SSH keys, what changes do I make?

  2. If I want to prevent remote root login at all what changes do I make (and how much more secure it is as compared to remote root login using SSH keys)?

  3. If I prevent remote root login at all by making changes to sshd_config file, how will I ever be able to login as ROOT if I want to in future?

Please answer these questions as explicitly as possible and pardon me for lack of trying things as I am completely horrified of the possibility of getting locked out of my own remote server.

Best Answer

set "UsePAM no" in sshd_config file

You don't want to turn of PAM.

  1. If I want to be able to login as root and otheruser using only SSH keys, what changes do I make?

To achieve this, these options are related:

PermitRootLogin without-password
ChallengeResponseAuthentication no
PasswordAuthentication no
AllowUsers root otheruser
PubkeyAuthentication yes     # missing in your list, but should be on by default)
  1. If I want to prevent remote root login at all what changes do I make (and how much more secure it is as compared to remote root login using SSH keys)?

Set PermitRootLogin no and AllowUsers otheruser.

  1. If I prevent remote root login at all by making changes to sshd_config file, how will I ever be able to login as ROOT if I want to in future?

You will log in with your non-root user and use sudo to edit the configuration files and restart sshd.