Secure Socket Shell or SSH is a set of different utilities to implement the ssh protocol. It is a secure encryption protocol that allows users to access and manage a remote system. It uses public key authentication by default, but some users may want to use the password. It can be done forcefully, which raises the question of how to force ssh clients to use only password authentication.
This guide sheds light on forcing the ssh client to use only password authentication.
- SSH Public Key Authentication
- SSH Password Authentication
- How to Force ssh Client to Use Only the Password Authentication?
- Why not Use the Password Authentication?
What is SSH Public Key Authentication?
The most secure authentication method for SSH is public-private key authentication, in which users generate the key(s) on the local machine. The public key is then uploaded to the server (remote) . When the user logs in, the server checks their local machine’s private key to verify their identity. Public key authentication is considered more secure than password authentication because the private key is never transmitted over the network.
What is SSH Password Authentication?
Password authentication is the most basic form of authentication, where the user enters their password to log in to the remote server. The password is transmitted over the network in plain text, so it’s considered less secure than other forms of authentication. This authentication method may pose a security threat due to its vulnerability to Brute-Force Attacks
How to Force SSH Client to Use Only Password Authentication?
To force an SSH client to use only password authentication, users must modify the sshd_config file on the server. This file is where the SSH server is configured. To do that, use the nano editor with sudo privileges to open the sshd_config file:
$ sudo nano /etc/ssh/sshd_config
The above image is a snippet of the sshd_config file, and in this file, find the “#Authentication” by scrolling down. From here, make the following edits:
- Change “PubKeyAuthentication yes” to “PubKeyAuthentication no”.
- Add a new entry if not found “PasswordAuthentication yes” then press “CTRL+S” to save the changes and “CTRL+X” to exit.
- Also remove the ‘#’ to uncomment because if it is there, the default configuration is used.
Make sure to write the words as it is; otherwise, the new settings will not be recognized. After that, save and exit the text editor.
Restart the SSH Server
Now restart the SSH server to load the changes into the system:
$ sudo systemctl restart sshd
The above image confirms that the SSH server is restarted.
Force SSH Client to Use Only Password Authentication
Let’s try to SSH a remote host with a forced password authentication using this command:
$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -o PasswordAuthentication=yes [email protected]
Here is a breakdown of the above command:
- ssh is used to invoke the command.
- -o stands for options.
- PreferredAuthentications=password sets the preferred authentication method to the password overriding the default public key method.
- PubkeyAuthentication=no forces the ssh not to use the public key authentication.
- PasswordAuthentication=yes forces the ssh to use the password authentication.
- [email protected] is the hostname and IP address of the remote machine.
The output shows that the SSH client has been accessed with only password authentication.
Why Should Password Authentication Not be Used?
Forcing password authentication is not the most secure option. Passwords can be guessed or intercepted, so use public key authentication instead. If you need password authentication, use a strong password following this guide which can help prevent the Brute Force attacks.
To force ssh clients to use only password authentication, users must change “PublicKeyAuthentication yes” to “PublicKeyAuthentication no.” Furthermore, a new entry must be added if not found “PasswordAuthentication yes.” The password authentication method is unsafe as it can be Brute-Forced, so it is not recommended.
This guide explained the technique for ssh clients to use only the password auth.