How to disable SSH public key authentication

Controlling which authentication methods an SSH server accepts reduces the attack surface and limits how accounts can be used. Disabling public key authentication can temporarily force password-only access, isolate compromised keys, or align access with stricter compliance requirements.

OpenSSH implements several authentication mechanisms, including public key, password, and keyboard-interactive methods. The server-side sshd daemon reads its configuration from /etc/ssh/sshd_config, where directives such as PubkeyAuthentication and PasswordAuthentication determine which methods are allowed when clients attempt to connect.

Changing authentication methods always carries a risk of losing access if no valid method remains enabled. Before disabling public key authentication, at least one alternative method such as strong password authentication or multi-factor integration must remain available, and some form of out-of-band or console access should be ready to reverse the change if needed.

1. Open a terminal and connect to the SSH server with an account that can run sudo commands.

   $ ssh user@server.example.com

2. Create a backup copy of the current SSH daemon configuration file.

   $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

   An incorrect change in /etc/ssh/sshd_config without a backup can make new SSH logins fail and complicate rollback, especially on remote-only systems.

3. Open the SSH daemon configuration file in a text editor.

   $ sudo vi /etc/ssh/sshd_config
   [sudo] password for user:

4. Search in the file for a line that begins with PubkeyAuthentication.

   The directive may be commented as #PubkeyAuthentication yes in default configurations, in which case the effective value comes from the built-in default.

5. Set the PubkeyAuthentication directive so public key authentication is disabled.

   PubkeyAuthentication no

   Add the line if it does not exist and remove any leading # so the directive is active.

6. Confirm that at least one alternative authentication method such as PasswordAuthentication remains enabled.

   PasswordAuthentication yes

   Disabling PubkeyAuthentication while also disabling all other authentication methods prevents new sessions from authenticating and can completely block remote access.

7. Test the sshd configuration for syntax errors before applying the change.

   $ sudo sshd -t

   No output from sshd -t indicates that the configuration syntax is valid.

   Related: How to check and validate SSH server's configuration

8. Restart the SSH daemon to apply the updated authentication policy.

   $ sudo systemctl restart sshd

   On many Debian-based systems the service name is ssh, so the command becomes sudo systemctl restart ssh.

   Related: [DRAFT] How to manage the SSH server service with systemctl in Linux

9. Check the SSH daemon status to confirm that it is running after the restart.

   $ sudo systemctl status sshd
   ● sshd.service - OpenSSH Daemon
        Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
        Active: active (running) since Thu 2024-05-16 10:41:02 UTC; 5s ago
   ##### snipped #####

10. Verify that public key authentication is no longer accepted and that another method remains available by initiating a verbose SSH connection and reviewing the offered methods.

    $ ssh -vv user@server.example.com
    ##### snipped #####
    debug1: Authentications that can continue: password
    user@server.example.com's password:
    ##### snipped #####

    The absence of publickey in the list of methods that can continue shows that public key authentication is disabled; a remaining method such as password must still be present to allow logins.