Linux - System Preferences - Disable Password Authentication for SSH

What the SSH Password Disabler does

This Automox Worklet™ disables password-based authentication for SSH connections on Linux endpoints. After remediation, users must authenticate using SSH public key pairs instead of passwords.

The Worklet removes any existing PasswordAuthentication directives from /etc/ssh/sshd_config and adds PasswordAuthentication no at the end of the file. Before restarting SSH, the Worklet validates the configuration syntax using sshd -t to prevent service disruption from configuration errors.

If the configuration validation passes, the Worklet restarts the sshd service to apply the changes. Existing SSH sessions remain connected during the restart.

Why disable SSH password authentication

SSH servers with password authentication enabled face relentless automated brute force attacks. Attackers scan for open SSH ports and systematically attempt common usernames like root, admin, and ubuntu with dictionary-based passwords. Even strong password policies cannot prevent credential stuffing attacks using leaked passwords from unrelated breaches.

Public key authentication eliminates password transmission over the network entirely. Private keys use 2048-bit or 4096-bit RSA encryption, making them computationally infeasible to brute force. Users can protect private keys with passphrases for defense-in-depth without exposing credentials to network interception.

Compliance frameworks mandate key-based authentication for administrative access. CIS Benchmarks recommend disabling password authentication, PCI-DSS requires strong authentication for privileged access, and NIST SP 800-53 AC-17 mandates cryptographic mechanisms for remote access.

How SSH password disabling works

1. Evaluation phase: The Worklet verifies that /etc/ssh/sshd_config exists. It then queries the effective SSH configuration using sshd -T and checks the passwordauthentication setting. If password authentication is enabled or not explicitly disabled, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses sed to remove all existing PasswordAuthentication lines from sshd_config. It appends PasswordAuthentication no to the file, runs sshd -t to validate syntax, and restarts the sshd service using systemctl restart sshd.

SSH password authentication requirements

• SSH server installed with configuration at /etc/ssh/sshd_config

• Root or sudo privileges for configuration changes and service restart

• SSH public keys deployed to user authorized_keys files before disabling passwords

• Alternative access method available in case of SSH key issues

Expected SSH authentication state after remediation

After successful remediation, SSH connections require public key authentication exclusively. Users attempting password-based authentication receive Permission denied (publickey) errors. The /etc/ssh/sshd_config file contains PasswordAuthentication no, and the SSH service enforces cryptographic key validation for all connection attempts.

Users with properly configured SSH keys in ~/.ssh/authorized_keys connect normally without disruption. Verify the configuration by running sshd -T | grep passwordauthentication, which returns passwordauthentication no. The Automox Activity Log shows the configuration change and service restart status, documenting the security hardening action for compliance audits.

How to validate disable password authentication for ssh changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable password authentication for ssh.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, sed, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable password authentication for ssh. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as exit, sed, else. Use these indicators to verify that endpoint changes match intended policy outcomes.