Posted inTechnology

Password Authentication for SSH: A Practical Guide for Secure Remote Access

Password Authentication for SSH: A Practical Guide for Secure Remote Access

What SSH is and why password authentication matters

SSH, short for Secure Shell, provides an encrypted channel for remote system administration. It replaces older, insecure protocols that sent credentials in plaintext and helps ensure confidentiality and integrity during login, file transfers, and remote command execution. Among the various methods to verify identity, password authentication is the most familiar: a user types a username and a secret password, and the server validates the credentials before granting access.

Password authentication remains a viable option in many environments, especially where hardware tokens or public key infrastructure are not yet in place. However, because human passwords can be weak or reused, password authentication introduces specific security considerations. When combined with proper policies, monitoring, and defense-in-depth, it can be used safely. When used without restraint, it becomes a vector for brute-force attacks and credential stuffing. Balancing convenience with security is the core challenge of managing SSH password authentication.

Pros and cons of password authentication

  • Pros: Easy to set up for administrators and users; does not require generating and distributing public keys; works across diverse environments without extra tooling.
  • Cons: More susceptible to guessing and brute-force attempts; password reuse across services amplifies risk; logging in from potentially compromised devices can expose credentials.

In practice, many operators start with password authentication enabled for a transitional period and then move toward stronger methods. The decision should factor in user behavior, the exposure of the SSH server to the internet, and the availability of controls like multi-factor authentication or public key authentication.

Enabling password authentication: a practical, safe approach

If you choose to enable password authentication, apply a layered strategy: enforce strong passwords, limit login attempts, monitor access, and consider routing SSH through a bastion host or VPN. The configuration of the SSH daemon (sshd) is central to this approach.

On most Linux systems, the main configuration file is /etc/ssh/sshd_config. The following settings influence password-based login and related authentication methods.

# /etc/ssh/sshd_config
PasswordAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
PermitRootLogin prohibit-password

Key points:

  • PasswordAuthentication should be set to yes if you want to allow password-based login. If you plan to move away from password authentication entirely, set this to no.
  • PubkeyAuthentication enables public key login alongside passwords. Keeping this enabled allows a transition period where both methods work.
  • ChallengeResponseAuthentication relates to PAM-based methods. Keeping it enabled lets PAM policies govern password quality and account behavior.
  • UsePAM integrates PAM modules, which can enforce password complexity, account lockouts, and session controls.
  • PermitRootLogin controls root access. For security, consider prohibiting root logins or at least requiring key-based authentication for root. A common practice is PermitRootLogin prohibit-password or PermitRootLogin no.

After modifying sshd_config, apply the changes by restarting the SSH service. The exact command depends on your init system: 

# systemd (most modern distros)
sudo systemctl restart sshd

# or on some Debian-based systems
sudo systemctl restart ssh

Before ending your current session, open a new terminal and test a login from a different machine. This ensures the configuration works as intended and helps you avoid locking yourself out. If something goes wrong, you can revert the changes or adjust specific directives to regain access.

Security considerations and hardening best practices

If password authentication remains enabled, adopt a defense-in-depth approach to minimize risk.

  • Enforce strong passwords: Use a policy that requires long, unique passphrases, and consider password aging to compel periodic updates.
  • Limit login attempts: Install and configure tools like fail2ban or similar to block repeated failed attempts from an IP address.
  • Network restrictions: Place the SSH service behind a firewall, limit access to trusted networks, or use a VPN/bastion host to reduce exposure.
  • Audit and monitoring: Enable logging for authentication events, periodically review access logs, and set up alerts for unusual login patterns.
  • Disable empty passwords: Ensure the system does not allow accounts with no password and verify that PermitEmptyPasswords is set to no.
  • Session and timeouts: Configure LoginGraceTime and MaxAuthTries to reduce the window for credential guessing and reduce brute-force success chances.
  • Consider multi-factor authentication (MFA): If feasible, add MFA for SSH. Even with password authentication, an MFA layer dramatically improves security posture.

A cautious path is to enable password authentication while actively steering users toward public key authentication as a more robust alternative. In time, you can retire password-based logins entirely and rely on keys with passphrases or MFA for added protection.

Alternatives: public key authentication and beyond

Public key authentication is widely regarded as more secure than password authentication for SSH. It eliminates the risk of password spraying and reduces the chance of credential compromise. The typical workflow involves generating a key pair on the client and placing the public key on the server in the user’s ~/.ssh/authorized_keys file.

Simple steps to adopt public key authentication:

  • On the client: Generate a key pair using a strong algorithm (for example, RSA with 4096-bit or Ed25519) and a strong passphrase.
  • Copy the public key to the server: Use ssh-copy-id or manually append the contents of ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the server.
  • Configure the server for key-based login: Ensure PubkeyAuthentication yes and consider setting PasswordAuthentication no only after you confirm all clients can access the server with their keys.
  • Protect your private keys: Store private keys securely, back them up, and consider a passphrase or hardware-backed storage for added protection.

With public key authentication in place, the server’s exposure to password-based attacks drops significantly. For organizations handling highly sensitive data or large fleets of servers, this approach is often the default baseline.

Common troubleshooting tips

When diagnosing SSH password authentication issues, a few checks usually reveal the problem:

  • Verify the sshd_config changes were loaded for the running service. Look for PasswordAuthentication, PubkeyAuthentication, and related directives in the active configuration.
  • Check file and directory permissions on the user’s home and SSH-related files. Incorrect permissions can prevent authentication from proceeding.
  • Inspect system logs for authentication messages. On many systems, you’ll find relevant entries in /var/log/auth.log or /var/log/secure.
  • Ensure that PAM modules don’t inadvertently block access or reject valid credentials due to policy rules.
  • Confirm that the client is using the correct username and the server is reachable on the expected port (default 22).

If you’re testing password authentication, you might temporarily enable verbose logging on the client side with ssh -v user@server to observe the handshake and pinpoint where authentication fails.

Conclusion

Password authentication remains a practical option for remote SSH access when managed with thoughtful security controls. By configuring sshd carefully, enforcing strong password policies, and combining password authentication with monitoring and rate limiting, you can maintain a solid security posture without sacrificing usability. For many operators, the best long-term path is to layer in public key authentication, MFA, and network hardening, then progressively reduce reliance on passwords. This approach preserves operational flexibility while strengthening resilience against common threats targeting SSH services.

In the end, the choice between password authentication and more advanced methods should reflect your threat model, user base, and operational capabilities. With disciplined configuration and ongoing oversight, SSH can remain both accessible and secure for your organization.