I have a cloud server with only a root user. I SSH to it using RSA keys only. To make it more secure, I wanted to disable the password feature. I know that this can be done by editing the /etc/ssh/sshd_config
file and changing PermitRootLogin yes
to PermitRootLogin without-password
. I was wondering if simply deleting the root password via passwd -d root
would be the equivalent (assuming I do not create more users or new users have their passwords deleted too). Are there any security issues with one approach verses the other?
Linux – Is disabling password login for SSH the same as deleting the password for all users
linuxrsaSecuritysshUbuntu
Related Topic
- Ssh – How to automate SSH login with password
- Disable SSH Password Login – How to Disable SSH Login with Password for Some Users
- Security – Our security auditor is an idiot. How to give him the information he wants
- Linux – root login via SSH still enabled after setting PermitRootLogin to ‘no’
- Ssh – Configure Ubuntu to allow ssh login via pulic/private key and sudo without password
Best Answer
Using public key authentication bypasses other authentication methods, so there's no need to use
PermitRootLogin without-password
, it's dangerous if someone tries to login as root and is not forced to present a public key.To accomplish what you want, disabling password authentication in sshd, use
PasswordAuthentication no
in yoursshd_config
.This setting will not affect the contents of
/etc/shadow
, where your user passwords are stored. If another application wants to authenticate via password (say CUPS for example), this will still work.If you want to disable this, deleting a users password with the command stated above will not work. It allow password-less logins for a given user, that's definitly not added security.
Issuing
passwd -l <user>
will accomplish what you intended. Keep in mind though that other apps than ssh might have a problem with that because they expect password authentication in their default setup (sudo, su, CUPS, etc.)Quoting from
man passwd
: