Disable password-based SSH login and restrict SSH access to key-based authentication on Linux and Mac

Linux

Upload the public key to the taget server

At first, please confirm that you’ve already generated a pair of keys.

If you obtained a pair of keys, please skip to the second part.

# The pair of keys are often stored in this directory
cd ~/.ssh

# If you did not generate a pair of keys, please use the following command
# -t rsa: Specifies the type of key to create (RSA).
# -b 4096: Specifies the size of the key (4096 bits, which is more secure than the default 2048 bits).
ssh-keygen -t rsa -b 4096

# If you would like to generate another kind of key
ssh-keygen -t ed25519

Then, you could upload your public key to the target server.

ssh-copy-id -f -i /path/to/pub/file -p port user@domain.or.ip

Modify the sshd configuration

The configuration file of sshd in Linux locates at /etc/ssh/sshd_config.

sshd service is responsible for controlling the ingress flow.(Server)
ssh service is responsible for controlling the egress flow.(Client)

Modify manually

Use vim or nano to edit the configuration file.

sudo nano /etc/ssh/sshd_config
# Or
sudo vim /etc/ssh/sshd_config

Find the following specific line and modify.

# Disable the password-based login
#PasswordAuthentication yes
PasswordAuthentication no

# Enable the key-based login
PubkeyAuthentication yes

Modify by sed

sudo sed -i 's/^#*PasswordAuthentication[[:space:]]*.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*PubkeyAuthentication[[:space:]]*.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config

Restart the sshd service

# Restart the sshd service to make it work
sudo systemctl restart sshd

MacOs

The steps for macOS are similar to those for Linux, although the location of the configuration file may differ slightly.

Upload the public key to the taget server

As with Linux, you can use the ssh-copy-id command to upload the public key.

Modify the sshd configuration

In macOS, the configuration file is typically located at /private/etc/ssh/sshd_config.

Modify manually

Use vim or nano to edit the configuration file.

sudo nano /private/etc/ssh/sshd_config
# Or
sudo vim /private/etc/ssh/sshd_config

Then, follow the same instructions as for Linux to make the necessary changes.

Modify by sed

On macOS, the usage of the sed command is slightly different. You need to add ‘’ -e to make edits.

sudo sed -i '' 's/^#*UsePAM[[:space:]]*.*$/UsePAM yes/' /private/etc/ssh/sshd_config
sudo sed -i '' '/^#*ChallengeResponseAuthentication[[:space:]]*.*$/d' /private/etc/ssh/sshd_config
echo "ChallengeResponseAuthentication no" | sudo tee -a /private/etc/ssh/sshd_config > /dev/null
sudo sed -i '' 's/^#*PasswordAuthentication[[:space:]]*.*$/PasswordAuthentication no/' /private/etc/ssh/sshd_config
sudo sed -i '' 's/^#*kbdInteractiveAuthentication[[:space:]]*.*$/kbdInteractiveAuthentication no/' /private/etc/ssh/sshd_config

Restart the sshd service

sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
# Or
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist 
# Or
sudo launchctl bootout system /System/Library/LaunchDaemons/ssh.plist
sudo launchctl bootstrap system /System/Library/LaunchDaemons/ssh.plist

By following the above steps, you can effectively enhance the security of your server and avoid potential security threats.