User & Access Management
      Back to home
      1. Help Center
      2. How-to Guides
      3. User & Access Management

      How to enable or disable SSH password authentication on Linux Servers

      Configure SSH password login settings to harden your server or restore access when key-based authentication fails.

      Key points to consider:

      • SSH password authentication allows users to log in using a username and password, but this method is more susceptible to brute-force attacks compared to SSH key based authentication.

      • Disabling password authentication is a best practice for production systems, especially when SSH keys are already set up and in use.

      • Enabling password authentication might be necessary in some cases, such as during initial server setup, when configuring new users, or when public SSH keys are not feasible.

      • SSH authentication settings are managed in the /etc/ssh/sshd_config file. The directive PasswordAuthentication must be set explicitly to yes or no.

      • Any changes made to the SSH configuration require restarting the SSH service (or ssh.socket on socket-activated systems like Ubuntu 24.04) for the changes to take effect.

      • You should always test SSH access in a second session before you apply changes permanently. This helps prevent accidental lockouts in case of misconfiguration.

      • If password authentication is disabled and no public keys are installed or valid, you may lose remote access to the server.

      • Use sshd -T to validate your effective SSH configuration, especially when overrides are defined in .d directories such as /etc/ssh/sshd_config.d/.

      Introduction

      Secure Shell (SSH) is the primary tool for remote access and management of Linux servers. It supports multiple authentication methods, including password-based and public key-based login. By default, most Linux distributions allow password authentication, enabling users to log in using a username and password pair.

      While password authentication is convenient and often necessary for initial setup, it presents a higher security risk. Passwords can be guessed, cracked, or intercepted, especially if not combined with other hardening measures. On the other hand, public key authentication is significantly more secure and resistant to brute-force attacks, making it the preferred choice for production systems.

      Important!: if you have not set up SSH keys yet, follow our SSH key tutorial to generate a key pair and add it to your Cherry Servers account or server manually.

      In this tutorial, you will learn how to enable or disable SSH password authentication by modifying the SSH server configuration. You will also verify the current setting, apply changes safely, and test access to avoid lockouts. This process works across most modern Linux distributions. Before proceeding, ensure you have root or sudo privileges on the server. You should also test any authentication changes in a second terminal session to avoid being locked out due to a misconfiguration.

      Step-by-Step Instructions

      Step 1: Check the current SSH Password Authentication setting

      Before making any changes, it is crucial to check whether SSH password authentication is currently enabled or disabled on your system. This setting is controlled in the SSH daemon configuration file located at /etc/ssh/sshd_config, or optionally in files within the /etc/ssh/sshd_config.d/ directory.

      1. Open the SSH configuration file:
        Use a text editor such as nano to open the SSH configuration: 
        $ sudo nano /etc/ssh/sshd_config
        Alternatively, run this command to view the effective password authentication setting, including any overrides in included configuration files (see Fig. 1): 
        $ sudo grep -i PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* 2>/dev/null

        Fig. 1. Checking the current SSH password authentication setting using grep. The last line shows that PasswordAuthentication is explicitly set to yes, meaning password logins are currently enabled.
      2. Review the setting (see Fig. 2):
        Look for a line that reads: 
        PasswordAuthentication yes
        or 
        PasswordAuthentication no

        Fig. 2.  The PasswordAuthentication directive in /etc/ssh/sshd_config is set to yes, enabling password-based SSH logins for users on this system.
        • If the line is commented out (prefixed with #), the default value yes is likely in effect, allowing password authentication.
        • If the line is explicitly set to no, password authentication is disabled.
        • If it's set to yes, password login is enabled.

      Tip: In modern distributions such as Ubuntu 22.04 or 24.04, configuration snippets in /etc/ssh/sshd_config.d/ may override the main file. Always check this directory when troubleshooting.

      Step 2: Modify the SSH Password Authentication setting

      Now that you have verified the current configuration, you can proceed to enable or disable SSH password authentication based on your requirements.

      1. Locate the existing directive
        In the file you opened during Step 1 (/etc/ssh/sshd_config or a .conf file inside /etc/ssh/sshd_config.d/), find the line (see Fig. 2): 
        PasswordAuthentication yes
        or 
        PasswordAuthentication no
      2. Modify the value
        • To disable password login and require SSH keys only (recommended): 
          PasswordAuthentication no
        • To enable password login (e.g., during initial setup or recovery): 
          PasswordAuthentication yes
        Make sure only one active (uncommented) PasswordAuthentication directive is present across all config files.
      3. Save and exit
        If you are editing with nano, press Ctrl+O, Enter, and Ctrl+X to save and close.

      Note: avoid repeating  the directive in multiple places. If you modified a file inside /etc/ssh/sshd_config.d/, be sure it is not being overridden by the main config file, or vice versa.

      Step 3: Restart the SSH service to apply changes

      Once you have updated the SSH configuration to enable or disable password authentication, you need to restart the SSH daemon for the changes to take effect.

      1. Restart the SSH service
        Run the following command to reload the SSH daemon and apply your changes: 
        $ sudo systemctl restart ssh
        This command is valid on most Linux systems and will reload the configuration immediately.
        Note for Ubuntu 24.04 and socket-activated systems:
        If your system uses ssh.socket (such as Ubuntu 24.04), you should run the following instead: 
        $ sudo systemctl daemon-reexec
        $ sudo systemctl restart ssh.socket
        This ensures that the new configuration is picked up by the socket-based service, not just by sshd.
      2. Validate SSH configuration (optional but recommended)
        Before restarting, you can check for syntax errors using: 
        $ sudo sshd -t
        If no output is returned, the configuration is valid.
      3. Test the new authentication method in a second terminal
        Keep your current SSH session open. In a second terminal, test login with: 
        $ ssh user@your_server_ip

        • If password authentication is enabled, you will be prompted for a password.

        • If password authentication is disabled and you have no SSH key set up, you will see an error like (see Fig. 3):

          Permission denied (publickey).

          Fig. 3. SSH login fails when password authentication is disabled and no valid SSH key is available.

      Note: If you are locked out due to configuration errors or lack of key access, use the Console in the Cherry Servers Client Portal to log in and revert the changes. See our guide: how to use and navigate remote management consoles.

      Summary

      In this tutorial, you learned how to enable or disable SSH password authentication on a Linux server by editing the SSH daemon configuration file. Password authentication allows users to log in using a username and password, but it is considered less secure than key based authentication due to its vulnerability to brute force attacks.

      You started by checking the current configuration using the sshd_config file or supplementary .conf files in /etc/ssh/sshd_config.d/. Then, you either enabled or disabled the PasswordAuthentication directive, depending on your use case, whether securing production systems or restoring access when SSH keys are unavailable. After making changes, you applied the new settings by restarting the SSH service.

      To avoid being locked out of your server, you were advised to test SSH access in a second terminal before closing your active session. If password authentication is disabled and no SSH key is present, login will fail with a "Permission denied (publickey)" error.

      By following this guide, you can confidently manage SSH authentication settings to suit your security requirements or operational needs.