SSH Authentication Methods in sshd_config (Password, Public Key, PAM)

Configure OpenSSH authentication in sshd_config: password, public key, keyboard-interactive, host-based, GSSAPI, AuthenticationMethods, and Match blocks on Linux.

Published

Updated

Read time 12 min read

Reviewed byDeepak Prasad

SSH Authentication Methods in sshd_config (Password, Public Key, PAM)

sshd_config decides how users prove who they are when they SSH in—password, key, PAM prompt, or something stricter per group. If you have ever flipped PasswordAuthentication and hoped you would not lock yourself out, this page is for you.

Below are copy-paste recipes first, then the directives for each method and the ssh -v lines you should expect. I re-ran sshd -T and local key login on Ubuntu 26.04; the longer ssh -v traces for pubkey failure, keyboard-interactive, and host-based auth come from my earlier RHEL 7 client → RHEL 8 server lab and still match what OpenSSH prints today.

Tested on: Ubuntu 26.04 LTS (Resolute Raccoon); kernel 7.0.0-27-generic; OpenSSH 10.2p1.


Quick answer: SSH authentication methods in sshd_config

Method sshd_config directive Typical hardened value
Password PasswordAuthentication no (after keys work)
Public key PubkeyAuthentication yes
Keyboard-interactive / PAM KbdInteractiveAuthentication no unless you need 2FA
Host-based HostbasedAuthentication no
GSSAPI / Kerberos GSSAPIAuthentication no unless using AD/IPA
Kerberos passwords KerberosAuthentication no unless using Kerberos
Require multiple factors AuthenticationMethods publickey or publickey,password
Empty passwords PermitEmptyPasswords no
PAM integration UsePAM yes on most Linux distros

Read effective values (after Include drop-ins and Match rules):

bash
sshd -T | grep -iE 'passwordauthentication|pubkeyauthentication|kbdinteractive|authenticationmethods|hostbased|gssapi|kerberos|permitemptypasswords'

Running that on Ubuntu 26.04:

text
passwordauthentication yes
pubkeyauthentication yes
kbdinteractiveauthentication no
hostbasedauthentication no
gssapiauthentication no
kerberosauthentication no
authenticationmethods any
permitemptypasswords no

Common sshd_config authentication recipes

Key-only SSH login

Use this for most hardened Linux servers after key login is tested:

text
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AuthenticationMethods publickey
PermitEmptyPasswords no

Validate and reload:

bash
sudo sshd -t
sudo systemctl reload ssh || sudo systemctl reload sshd

Password login only for a lab server

Use only on private/lab systems:

text
PasswordAuthentication yes
PubkeyAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no

Public key plus password

Require both a valid SSH key and the account password:

text
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

Public key plus PAM/OTP

Use this when PAM provides OTP or another challenge:

text
PubkeyAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

Different rule for an SFTP group

text
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

Match Group sftpusers
    PasswordAuthentication yes
    AuthenticationMethods password
    ForceCommand internal-sftp

How sshd chooses an authentication method

When you run ssh, the client and sshd negotiate until one authentication method succeeds or the connection is refused. Server policy lives in /etc/ssh/sshd_config, often with snippets under /etc/ssh/sshd_config.d/ on Ubuntu, Debian, and RHEL 8+. Client defaults sit in /etc/ssh/ssh_config and ~/.ssh/config — see SSH client config (ssh_config) when you need client-side tweaks.

Commented-out lines in sshd_config still matter: OpenSSH applies built-in defaults. Run sshd -T when you want the merged result after drop-ins and Match blocks. Throughout this page, client means the machine where you type ssh; server is the host running sshd.

NOTE
AuthenticationMethods changes the rules. With AuthenticationMethods publickey,password, the user must pass both a key and a password. With the default any, one successful method is enough.

PasswordAuthentication vs KbdInteractiveAuthentication

These two settings confuse people because both can end with a Password: prompt on the client.

PasswordAuthentication KbdInteractiveAuthentication
Protocol method Plain SSH password auth Keyboard-interactive (often PAM-backed)
Typical use Simple password login OTP, 2FA, or multi-step PAM
Auth log line Accepted password for Accepted keyboard-interactive/pam for
Disable for key-only Set no Also set no — PAM can still prompt otherwise

Since OpenSSH 8.7 documentation, KbdInteractiveAuthentication is the preferred name; ChallengeResponseAuthentication is kept as a deprecated alias for compatibility.

Setting PasswordAuthentication no alone does not guarantee users will never see a password prompt. If KbdInteractiveAuthentication yes and UsePAM yes, PAM may still ask for a password through the keyboard-interactive path. Check all three on the server:

bash
sshd -T | grep -iE 'passwordauthentication|kbdinteractiveauthentication|usepam'
text
passwordauthentication yes
kbdinteractiveauthentication no
usepam yes

Password authentication

Password authentication sends the user password over the encrypted SSH channel. PAM still handles account checks when UsePAM yes (the default on Ubuntu and RHEL).

On the server, confirm the setting in /etc/ssh/sshd_config:

bash
egrep '^PasswordAuthentication' /etc/ssh/sshd_config

When the line is present and uncommented:

text
PasswordAuthentication yes

If it is commented out, check what sshd actually applies:

bash
sshd -T | grep passwordauthentication
text
passwordauthentication yes

To allow password logins explicitly, add to /etc/ssh/sshd_config or a drop-in under /etc/ssh/sshd_config.d/:

text
PasswordAuthentication yes
UsePAM yes
PermitEmptyPasswords no
WARNING

PasswordAuthentication no disables the plain password authentication method, but users may still see a password-like prompt through KbdInteractiveAuthentication when PAM is enabled. Check both values with sshd -T:

bash
sshd -T | grep -iE 'passwordauthentication|kbdinteractiveauthentication|usepam'
WARNING
Password authentication is the main target of brute-force attacks. Pair rate limiting with Fail2ban for SSH or network-level controls, and plan to move to public keys for admin accounts.

On the server, a successful password login is logged as Accepted password for:

text
Nov 22 08:53:15 rhel-8.example.com sshd[8482]: Accepted password for root from 10.10.10.10 port 42182 ssh2
Nov 22 08:53:15 rhel-8.example.com systemd-logind[1057]: New session 39 of user root.
Nov 22 08:53:15 rhel-8.example.com systemd[1]: Started Session 39 of user root.

Public key authentication

Public key authentication is the standard hardening step: users prove possession of a private key; the server checks ~/.ssh/authorized_keys (or paths from AuthorizedKeysFile).

On the server, enforce key-only access:

text
PasswordAuthentication no
PubkeyAuthentication yes

Verify on the server:

bash
egrep '^PasswordAuthentication|^PubkeyAuthentication' /etc/ssh/sshd_config
text
PasswordAuthentication no
PubkeyAuthentication yes

Before you harden a fresh Ubuntu install, both are usually still on:

bash
sshd -T | grep -E 'pubkeyauthentication|passwordauthentication'
text
pubkeyauthentication yes
passwordauthentication yes

The default key file paths:

bash
sshd -T | grep authorizedkeysfile
text
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2

Generate a key pair on the client, copy the public key to the server, then test before disabling passwords. See generate SSH key on Linux and the SSH command cheat sheet for ssh-keygen and ssh-copy-id.

Pubkey-only server, no key configured (failure)

If the server allows only public keys and authorized_keys is empty, login fails:

bash
ssh -v rhel-8
text
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Public key configured (success)

After you copy the public key to the server:

bash
ssh -v rhel-8
text
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Authentication succeeded (publickey).
Authenticated to rhel-8 ([10.10.10.7]:22).

On OpenSSH 10.x the success line often reads Authenticated to host using "publickey". Same flow on Ubuntu 26.04:

bash
ssh -i ~/.ssh/id_rsa -v [email protected] exit
text
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:QctH5c77yvxCJMG6WUQfAfwvfxRR4VBhFK+1rAFsoCY
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:QctH5c77yvxCJMG6WUQfAfwvfxRR4VBhFK+1rAFsoCY
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "publickey".

A pubkey-only public host (GitHub) advertises only publickey:

bash
ssh -o PreferredAuthentications=none -v [email protected] 2>&1 | grep 'Authentications that can continue'
text
debug1: Authentications that can continue: publickey

Keyboard-interactive and PAM

KbdInteractiveAuthentication enables keyboard-interactive authentication—a multi-step challenge/response dialog between client and server. On most Linux systems this path goes through PAM, so it can prompt for a password, a one-time code, or multiple factors.

Since OpenSSH 8.7 documentation, KbdInteractiveAuthentication is the preferred name; ChallengeResponseAuthentication is kept as a deprecated alias for compatibility. Ubuntu 26.04 ships with keyboard-interactive off:

bash
grep KbdInteractiveAuthentication /etc/ssh/sshd_config
sshd -T | grep kbdinteractiveauthentication
text
KbdInteractiveAuthentication no
kbdinteractiveauthentication no

To use PAM-based two-factor authentication, enable keyboard-interactive and configure a PAM stack (for example Google Authenticator or offline OTP). See offline two-factor SSH authentication for a full walkthrough.

text
KbdInteractiveAuthentication yes
UsePAM yes

With other methods turned off and only keyboard-interactive left, negotiation looks like this:

bash
ssh -vvv rhel-8.example.com
text
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).

With only PAM password modules configured, that single Password: prompt looks the same as plain password auth. Check the server log to tell them apart—keyboard-interactive:

text
Nov 22 08:49:30 rhel-8.example.com sshd[8434]: Accepted keyboard-interactive/pam for root from 10.10.10.10 port 42180 ssh2
Nov 22 08:49:30 rhel-8.example.com systemd-logind[1057]: New session 38 of user root.
Nov 22 08:49:30 rhel-8.example.com systemd[1]: Started Session 38 of user root.

Versus plain password auth on the same setup:

text
Nov 22 08:53:15 rhel-8.example.com sshd[8482]: Accepted password for root from 10.10.10.10 port 42182 ssh2
NOTE
Keyboard-interactive is intended for PAM backends that send multiple challenges—OTP tokens, RSA SecurID, or RADIUS. With a basic PAM password stack it duplicates PasswordAuthentication; disable one or the other to avoid operator confusion.

Require multiple factors with AuthenticationMethods

AuthenticationMethods sets which methods must succeed and in what combination.

Setting Meaning
AuthenticationMethods any Default—one successful method is enough
AuthenticationMethods publickey Key only (explicit belt-and-braces with PasswordAuthentication no)
AuthenticationMethods password Password only
AuthenticationMethods publickey,password Multi-factor: valid key and password
AuthenticationMethods publickey,keyboard-interactive Key plus PAM/OTP challenge

Example key-only policy in a drop-in file /etc/ssh/sshd_config.d/99-hardening.conf:

text
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

Validate syntax before reload:

bash
sudo sshd -t

No output means the file parses cleanly. To preview that drop-in before you install it, point sshd -T at a minimal standalone config (Ubuntu 26.04):

bash
sshd -T -f /tmp/sshd-hardening.conf | grep -iE 'passwordauthentication|authenticationmethods'
text
passwordauthentication no
authenticationmethods publickey

After you add the drop-in and reload sshd, confirm on the live server with sshd -T | grep -iE 'passwordauthentication|authenticationmethods'.


Per-user and per-group rules with Match

Match blocks at the end of sshd_config override global settings for specific users, groups, or source addresses.

Example: global key-only access, but password auth for an SFTP group:

text
PasswordAuthentication no
PubkeyAuthentication yes

Match Group sftpusers
    PasswordAuthentication yes
    AuthenticationMethods password
    ForceCommand internal-sftp
IMPORTANT
Place Match blocks last. A Match section stays active until the next Match line or end of file—directives below a Match without their own block inherit the match context and can surprise you.

Preview effective settings for a specific user and group:

bash
sshd -T -C user=deploy,group=sftpusers,host=myserver,addr=203.0.113.10 \
  | grep -iE 'passwordauthentication|authenticationmethods|forcecommand'

Use this after every Match change. If AuthenticationMethods publickey is set globally, a Match group that needs passwords must also set AuthenticationMethods password (or any) inside the block—otherwise only public keys work even when PasswordAuthentication yes is present.


Host-based authentication

Host-based authentication trusts a client host (via /etc/ssh/shosts.equiv or .shosts files) plus host keys—not just a user key. It is rare in production because it can enable passwordless access for many users from a trusted host.

Keep it disabled unless you have a documented need:

text
HostbasedAuthentication no
IgnoreRhosts yes

Defaults on the Ubuntu test host:

bash
sshd -T | grep -E 'hostbasedauthentication|ignorerhosts'
text
hostbasedauthentication no
ignorerhosts yes

For a full host-based setup, see configure SSH host-based authentication.

With host-based auth wired up, ssh -v shows the host key path succeeding:

bash
ssh -v rhel-8.example.com
text
debug1: Next authentication method: hostbased
debug1: userauth_hostbased: trying hostkey ecdsa-sha2-nistp256 SHA256:/r/FWD0IwFpOcuqEnFrkcNQZKI23vOzb94ZWjevwpMc
debug1: Authentication succeeded (hostbased).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).
debug1: Remote: Accepted for rhel-7.example.com [10.10.10.10] by /etc/ssh/shosts.equiv.
Last login: Thu Nov 21 21:23:52 2019 from rhel-7.example.com

GSSAPI and Kerberos authentication

GSSAPI authentication integrates SSH with Kerberos (Active Directory, FreeIPA, or MIT Kerberos). Users with valid Kerberos tickets can SSH without typing a password or uploading a key.

Relevant directives:

text
GSSAPIAuthentication no
GSSAPIKeyExchange no
KerberosAuthentication no

Check effective values:

bash
sshd -T | grep -iE 'gssapi|kerberos'
text
gssapiauthentication no
gssapikeyexchange no
kerberosauthentication no

Enable GSSAPI only when the host is joined to a realm—join Linux to Active Directory or install FreeIPA—and Kerberos is working (klist shows a valid ticket). Misconfigured Kerberos often produces debug1: No credentials forwarded in ssh -v output while password or key auth still works.


PermitRootLogin controls whether root can log in over SSH. It is separate from PasswordAuthentication.

Common hardened value:

text
PermitRootLogin prohibit-password

This allows root login with keys but blocks root password and keyboard-interactive login for root. To block root SSH completely:

text
PermitRootLogin no

The upstream sshd_config(5) built-in default is prohibit-password, not yes. Your distribution, cloud image, or local drop-in may override that.

Check the effective value:

bash
sshd -T | grep permitrootlogin

On this test host:

text
permitrootlogin yes

Your distribution or image may set a different value. Always confirm the effective setting with sshd -T | grep permitrootlogin instead of relying on commented defaults in /etc/ssh/sshd_config.


Apply and verify changes safely

Do not reload sshd until sshd -t is happy.

Edit /etc/ssh/sshd_config or a file under /etc/ssh/sshd_config.d/, then validate:

bash
sudo sshd -t

Reload while keeping your current session open:

bash
sudo systemctl reload ssh

On RHEL and CentOS the service name is usually sshd:

bash
sudo systemctl reload sshd

Open a second terminal and log in before you close the first. ssh -v user@server should show which methods were offered and which one succeeded.

For connection debugging, see test SSH connection. Broader hardening ideas are in prevent brute-force SSH attacks.


Troubleshooting

Symptom Likely cause Fix
Permission denied (publickey) No key in authorized_keys, wrong permissions, or keys disabled Run ssh-copy-id; check ~/.ssh is 700 and authorized_keys is 600; confirm PubkeyAuthentication yes
Key exists but is not used Wrong AuthorizedKeysFile, home directory permissions, or SELinux context Check sshd -T | grep authorizedkeysfile, run restorecon -Rv ~/.ssh on SELinux systems
Password works but keys do not PasswordAuthentication yes only; pubkey off or wrong key sshd -T | grep pubkeyauthentication; verify authorized_keys line matches ssh -i key
Password prompt after PasswordAuthentication no KbdInteractiveAuthentication + PAM still enabled sshd -T | grep -iE 'passwordauthentication|kbdinteractiveauthentication|usepam'; set KbdInteractiveAuthentication no unless you need OTP
Password stopped working after hardening PasswordAuthentication no globally or in Match Restore via console/out-of-band access; set PasswordAuthentication yes in a drop-in; reload
sshd: reprocess config line X: Bad configuration option Typo or directive removed in newer OpenSSH Run sshd -t; check sshd_config(5) for your OpenSSH version
SFTP group cannot use passwords Global AuthenticationMethods publickey without a Match override Inside Match Group, set AuthenticationMethods password and PasswordAuthentication yes
Keyboard-interactive looks like password PAM only asks for password Expected with basic PAM; check auth log for keyboard-interactive/pam vs password
ChallengeResponseAuthentication appears in old guides Deprecated alias for KbdInteractiveAuthentication Use KbdInteractiveAuthentication in new configs; old aliases may still parse on some versions
Config change has no effect Edited wrong file; drop-in overridden Check Include lines; run sshd -T and sshd -T -C user=...,group=...
Locked out after reload Bad config while PasswordAuthentication was off Use VM console, IPMI, or cloud serial console; fix config from rescue mode

References


Summary

Start from the recipe that matches your goal—key-only, password lab, key plus password, or SFTP Match—then confirm with sshd -T and sshd -t before reload. Turn off both PasswordAuthentication and KbdInteractiveAuthentication when you want no password prompts at all. Keep a second SSH session open while you test, and use Match at the bottom of the file when one group needs different rules.

Frequently Asked Questions

1. What SSH authentication methods can I configure in sshd_config?

OpenSSH supports password, public key, keyboard-interactive (PAM/2FA), host-based, and GSSAPI/Kerberos authentication. Control each with directives such as PasswordAuthentication, PubkeyAuthentication, KbdInteractiveAuthentication, HostbasedAuthentication, and GSSAPIAuthentication in /etc/ssh/sshd_config.

2. How do I disable SSH password login and allow keys only?

Set PasswordAuthentication no and PubkeyAuthentication yes, run sshd -t, reload sshd, and test key login in a second session before closing your current one. Optionally add AuthenticationMethods publickey for an explicit key-only policy.

3. What is the difference between PasswordAuthentication and KbdInteractiveAuthentication?

PasswordAuthentication enables plain password auth. KbdInteractiveAuthentication enables keyboard-interactive auth through PAM, which can prompt for passwords, OTP codes, or multiple challenges. Since OpenSSH 8.7, KbdInteractiveAuthentication is the preferred name; ChallengeResponseAuthentication is a deprecated alias.

4. What does AuthenticationMethods do in sshd_config?

AuthenticationMethods lists methods that must all succeed before access is granted. For example, publickey,password requires both a valid key and a password. The default is any, meaning one successful method is enough.

5. How do I set different SSH auth methods per user or group?

Add Match blocks at the end of sshd_config. For example, Match Group sftpusers with PasswordAuthentication yes overrides global settings for members of that group. Verify effective settings with sshd -T -C user=NAME,group=GROUP,host=HOST,addr=IP.

6. How do I apply sshd_config changes safely?

Run sshd -t to validate syntax, then reload with systemctl reload ssh or systemctl reload sshd. Keep an existing SSH session open while testing from a second terminal so a bad change cannot lock you out.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …