Any Linux server exposed to the public internet suffers thousands of brute-force attacks every single day. If you are still using a root password to log in, it’s like leaving your house keys under the doormat.
This article will teach you how to completely close the password login entryway by configuring SSH key pairs, leaving hackers with nowhere to enter.
1. Principle: Why are Keys Safer than Passwords?
- Passwords: Also known as “Something you know”. They can be guessed, cracked via dictionary attacks, or intercepted by a man-in-the-middle.
- Private Keys: Also known as “Something you have”. Using asymmetric encryption algorithms (such as Ed25519 or RSA). Only the person possessing the private key file can decrypt the challenge code sent by the server.
2. Generate High-Strength Key Pairs (Ed25519)
Although RSA is a well-established standard, in 2026, it is recommended to use the shorter, faster, and safer Ed25519 algorithm.
Run this in your local (Mac/Windows) terminal:
ssh-keygen -t ed25519 -C "your_email@example.com"- This generates
id_ed25519(Private key, absolutely do not leak) andid_ed25519.pub(Public key). - Strongly recommended: Set a passphrase. This way, even if the private key file is stolen, it cannot be used without the password.
3. Deploy the Public Key to the Server
Using the ssh-copy-id command is the simplest method:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server_ipIf configuring manually, you append the contents of the public key to the server’s ~/.ssh/authorized_keys file.
4. The Key Step: Disable Password Login
After uploading the public key and confirming successful login, you must disable password login; otherwise, all the previous work is in vain.
Edit the server’s /etc/ssh/sshd_config:
# Disable root login (Optional but recommended)PermitRootLogin no
# Disable password authentication (Must do)PasswordAuthentication no
# Disable empty passwordsPermitEmptyPasswords no
# Enable public key authenticationPubkeyAuthentication yesRestart the SSH service:
sudo service ssh restart⚠️ Critical Security Warning (Life-saving Tip)
Before executing the restart command to restart the SSH service, do not close your current terminal window!
Please open a new terminal window to try connecting to the server.
- If successful: Congratulations, configuration complete.
- If it fails: You can still save it! In the original window, revert the
sshd_configchanges and restart the service again.
If you close everything and can’t connect, you’ll have to rely on the cloud provider’s web console (VNC/Console) for emergency access.
5. Advanced Protection
To make it impregnable, you can also:
- Change the default port: Change the SSH port from 22 to something uncommon (e.g., 22222) to filter out 99% of script scans.
- Fail2Ban: Install Fail2Ban software. When it detects someone failing to log in consecutively for N times, it automatically blacklists their IP at the firewall level.
Summary
There is no absolute security, only cost. By configuring SSH keys and disabling passwords, we raise the attacker’s cracking cost from “running a dictionary” to the astronomical level of “breaking an encryption algorithm.” This is a fundamental skill for every server administrator.
If this article helped you, please share it with others!
Some information may be outdated





