When it comes to securing SSH access on a Linux system, two effective methods are disabling password authentication and locking user accounts. Each approach offers distinct advantages and considerations. In this blog post, we’ll break down both methods to help you choose the best option for your critical security needs.

• Disabling Password Authentication
  • Pros
  • Cons
  • Details
• Locking User Accounts
  • Pros
  • Cons
  • Details
• Conclusion

Disabling Password Authentication

Pros

• Increased Security: By setting PasswordAuthentication no in your SSH configuration, you ensure that only key-based authentication is allowed. This significantly reduces the risk of brute force attacks and password guessing attacks, as there are no passwords to be exploited.
• Compliance: Many security policies and best practices mandate disabling password authentication to meet stricter security standards. Key-based authentication is considered more secure and is often required for compliance.

Cons

• Initial Setup Required: Before disabling password authentication, you must ensure that all users have their SSH keys set up properly. Failure to do so may lock out legitimate users who rely on password authentication.
• Recovery Challenges: If you lose access to your SSH keys or forget them, you may face difficulties regaining access to the server. Physical access or a recovery method will be necessary to restore access.

Details

To disable password authentication, follow these steps:

1. Edit the SSH Configuration File:

    sudo nano /etc/ssh/sshd_config
   

   Locate the PasswordAuthentication directive and set it to no:

    PasswordAuthentication no
   

2. Reload SSHD:

   After making the change, reload or restart the SSH service for the changes to take effect:

    sudo systemctl reload sshd
   

   or

    sudo systemctl restart sshd
   

Locking User Accounts

Pros

• User Account Control: Locking a user account prevents that user from logging in, regardless of the authentication method. This is useful for temporarily or permanently disabling an account.
• Granular Control: This method provides more fine-grained control over individual user accounts and their login abilities.

Cons

• Not SSH Specific: Locking the user account affects ALL types of login, not just SSH. If your goal is solely to restrict SSH access, this method might be overkill.
• Requires User Management: Each user account needs to be managed individually. This can be cumbersome if you need to manage multiple users.

Details

To lock a user account:

1. Disable Password and Account Expiry:

   Set the account to expire immediately and disable password aging using chage:

    sudo chage -I -1 -M -1 -E -1 USERNAME
   

2. Lock the User Account:

   Use usermod to lock the account, preventing login:

    sudo usermod -L USERNAME
   

3. Reversing Changes:

   To unlock the user, you can use usermod -U USERNAME and adjust password expiry settings with chage.

Conclusion

• Disabling Password Authentication: This method focuses on securing SSH access by enforcing key-based authentication, which enhances security against password-based attacks. It is often the preferred choice for SSH-specific security.

• Locking User Accounts: This approach restricts login for specific users regardless of the authentication method, offering broader account management. It is useful for managing user access more comprehensively.

Choosing between these methods depends on your specific security requirements and administrative preferences. For a targeted approach to securing SSH, disabling password authentication is generally recommended. For more comprehensive user management, account locking may be more suitable.

📝 For more information about the usermod and chage commands described above, review the usermod and the chage man pages .