How to allow or disallow SSH password authentication

SSH password authentication controls whether remote logins occur using only a username and password over SSH. Adjusting this behavior balances simple access requirements with stronger protection against brute-force attacks on internet-facing servers.

In OpenSSH, the sshd daemon reads /etc/ssh/sshd_config during startup and on reload to determine which authentication mechanisms are accepted. The PasswordAuthentication directive in this configuration file decides if password-based logins are allowed alongside methods such as public key authentication or keyboard-interactive.

Disabling password authentication without a working alternative such as key-based login can immediately block further access over SSH. On typical Linux systems using systemd, configuration changes take effect only after the sshd service restarts, so keeping an existing session open until confirmation avoids lockouts and enables quick rollback using the backup configuration.

Steps to enable or disable password authentication in SSH:

Open a terminal session with an account that has sudo privileges.
```
$ whoami
user
```
Create a backup copy of the current SSH daemon configuration file.
```
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
```
Keeping a backup of /etc/ssh/sshd_config allows quick restoration if authentication changes prevent SSH logins.

Open the SSH daemon configuration file in a text editor.

$ sudo vi /etc/ssh/sshd_config
[sudo] password for user:

Locate the PasswordAuthentication directive inside the configuration file.

The PasswordAuthentication directive controls whether SSH accepts password-based logins when set to yes or rejects them when set to no.
Set PasswordAuthentication to no to disallow password authentication or to yes to allow it, adding or uncommenting the line if necessary.
```
PasswordAuthentication no
```
Add the line if it is missing and remove any leading # character if the directive is commented out.

Ensure another authentication method such as public key authentication is configured and tested before setting the value to no, otherwise SSH access can be lost.
Write the changes in the editor so the updated configuration is stored in the file.
Test the SSH daemon configuration for syntax errors before restarting the service.
```
$ sudo sshd -t
```
No output from sshd -t indicates that the configuration syntax is valid.
Restart the SSH daemon so the new authentication setting takes effect.
```
$ sudo systemctl restart sshd
```
Some distributions use ssh instead of sshd as the service name, for example sudo systemctl restart ssh on Ubuntu.
Verify the effective password authentication setting reported by the SSH daemon.
```
$ sudo sshd -T | grep -i passwordauthentication
passwordauthentication no
```
An output line ending in no confirms that password-based logins are disabled, while yes indicates that they remain enabled.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.