Is disabling password login for SSH the same as deleting the password for all users?

ssh security linux rsa ubuntu

Solution 1:

Using public key authentication bypasses other authentication methods, so there's no need to use PermitRootLogin without-password, it's dangerous if someone tries to login as root and is not forced to present a public key.

To accomplish what you want, disabling password authentication in sshd, use PasswordAuthentication no in your sshd_config.

This setting will not affect the contents of /etc/shadow, where your user passwords are stored. If another application wants to authenticate via password (say CUPS for example), this will still work.

If you want to disable this, deleting a users password with the command stated above will not work. It allow password-less logins for a given user, that's definitly not added security.

Issuing passwd -l <user> will accomplish what you intended. Keep in mind though that other apps than ssh might have a problem with that because they expect password authentication in their default setup (sudo, su, CUPS, etc.)

Quoting from man passwd:

-l, --lock
           Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).

           Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod
           --expiredate 1 (this set the account's expire date to Jan 2, 1970).

           Users with a locked password are not allowed to change their password.

Solution 2:

Absolutely not, removing the root password would be a great security risk, if you want to modify the root password I would suggest that you set a strong random password for the root user. Even tho /etc/shadow

Now you have root user locked down for SSH access only to your SSH key, your next step would be to check which other users have shell access and remove it if not needed, and do the same for any additional user accounts you may create and keep SSH access only to the root user.

If you do choose to remove the password for any user, it should have also shell access removed in /etc/passwd by setting the shell to /sbin/nologin.

A different approach would be to disable password login for SSH for all users and allow public key authentication only.

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Also ensure that the public key authentication is allowed in /etc/ssh/sshd_config :

PubkeyAuthentication yes

Related

Unknown LDAP cn=config admin password
Can I create the active directory forest corp.domain.com without creating domain.com first?
Renaming a TFS Server
Alias doesn't work in script with #!/usr/bin/env php
Good practices regarding discontinued software in production (OpenDS)?
SSH connection - after some time I can't type anything
Ansible ssh as user and execute has root (expect like)
Haproxy "use_backend" match order
Google Dynamic DNS Wildcard Subdomains
What do users see when Apache reaches MaxClients?
CEPH's raw space usage
Launching an EC2 Instance with an IAM Role Using Ansible