Skip to main content
SRW Servicios Rogeliowar

SSH authentication by public key: disable passwords on Ubuntu Server

·3 mins
Ssh Seguridad Ubuntu Autenticación
Rogelio Guerra Riverón
Author
Rogelio Guerra Riverón
Building my own web infrastructure from scratch. Here I document each step: servers, networks, containers and everything that comes along.
Table of Contents
Recomendados
Servidor

Mini PC Intel N100

Mini PC silencioso y eficiente para servidor doméstico 24/7

Ver en Amazon →
Seguridad

YubiKey 5 NFC

Llave de seguridad física para 2FA y acceso SSH seguro

Ver en Amazon →
* Enlace de afiliado. Sin coste extra para ti.

Why Switch to Key-Based Authentication
#

After months of maintaining a home server with open SSH access, I got tired of brute force password attacks. Switching to public key authentication was the best security decision I made. Keys are mathematically impossible to crack through brute force, while passwords are always a target.

SSH Key Generation
#

First, generate a key pair on your local machine (not on the server):

ssh-keygen -t ed25519 -C "tu_email@ejemplo.com"

It will ask you where to save the key. Press Enter to use the default location (~/.ssh/id_ed25519). Then it will ask for a passphrase. I use a strong password here, because it protects your private key locally.

After this you’ll have two files:

  • ~/.ssh/id_ed25519 - Your private key (never share this)
  • ~/.ssh/id_ed25519.pub - Your public key (this goes on the server)

Copy the Key to the Server
#

The safest method is using ssh-copy-id. From your local machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub usuario@servidor

This will add your public key to the ~/.ssh/authorized_keys file on the server. You’ll still need your password for this step.

If ssh-copy-id doesn’t work, you can do it manually:

cat ~/.ssh/id_ed25519.pub | ssh usuario@servidor "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Verify It Works
#

Before disabling passwords, test that key-based access works:

ssh usuario@servidor

If everything is good, you should log in without being asked for a password (or just the passphrase of your local key, if you set one).

SSH Server Configuration
#

Now we edit /etc/ssh/sshd_config on the server:

sudo nano /etc/ssh/sshd_config

Find these lines and adjust them (remove the # if it’s commented out):

PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no

These are the critical lines:

  • PubkeyAuthentication: Enables key-based authentication (should be yes)
  • PasswordAuthentication: Change this to no to disable passwords
  • PermitEmptyPasswords: Ensures there’s no access with empty password
  • PermitRootLogin: It’s good practice to set this to no

Apply the Changes
#

Before restarting the SSH service, verify that the configuration is valid:

sudo sshd -t

If it doesn’t return errors, restart the service:

sudo systemctl restart ssh

Final Test
#

Here comes the moment of truth. Open a new SSH session without closing the current one:

ssh usuario@servidor

If you log in without problems, everything works. If not, keep the previous session open to revert changes.

Backup and Checklist
#

Before doing this, I backup sshd_config:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

My checklist before disabling passwords:

  • SSH key generated locally
  • Public key copied to the server
  • Key-based access tested correctly
  • sshd -t without errors
  • Backup of sshd_config done
  • Test session open before restarting

Result
#

Since I implemented this, the server logs are quiet. Zero successful brute force attempts. SSH keys are one of those security improvements that seems complicated at first but is completely worth it.

Recommended Equipment#

Affiliate links. No extra cost to you.