Password authentication is _the_ most basic thing every server should have disabled.
Otherwise, it is possible to brute force a connection into your server.
> "But my server is not exposed to the internet."
I guess you _could_ get away with not disabling password authentication, but it's still not a good idea in case, say, your network gets compromised.
On top of that, it's less convenient to have to type in a password every time you want to log into your server (more in that in the SSH Agent section).
In order to disable password authentication, open your SSH daemon configuration file: `/etc/ssh/sshd_config` and look for the following lines...
```sshd_config
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
...
```
...uncomment `PasswordAuthentication` and replace "yes" for "no".
Make sure you still have a way into your server before restarting the daemon.
Be aware of the fact that you can still utilise the root account using `sudo su -` (assuming you're using `sudo` on your server, else use whatever other privilege escalation tool you have at hand).
Restarting the daemon on modern systems is usually done using:
```sh
systemctl restart sshd
```
If you're not using systemd, I'm sure you know what command to use instead.
## Adding keys to `authorized_keys`
When going through `/etc/ssh/sshd_config` you've probably come across a few lines resembling:
```sshd_config
...
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
This means that the SSH daemon will check in `.ssh/authorized_keys` in the home directory of the user as whom you're trying to log in for authorized keys.
I'm usually too lazy to remember there is a proper way and just open the file in `vi` paste and it in there by hand during the same initial login when I'm disabling password authentication.
If people tend not to think much about their server configuration, their client configuration is probably not even touched at all.
## The `~/.ssh/config` file
The very first thing I do after setting up a server, is add an entry to my `~/.ssh/config` in order to manage its key, the user, the port and possibly subdomain should the need arise.
A basic configuration section looks like the following:
```ssh_config
Host <host> # this is something you can easily identify
ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that
Another amazing feature of SSH is forced commands.
The name is relatively self explanatory.
You give a public key the privilege to execute a single command and nothing else.
This is really useful if there is something that you frequently do on a server which is simple enough that it can be automated but still requires interaction from device.
I make use of a forced command to open NCMPCPP on my MPD server.
Logging in every time and typing `ncmpcpp` every time I wanted to add or remove some songs from the current playlist got annoying really fast.
On my client machines I have an entry in my `~/.ssh/config` with roughly the following:
```ssh_config
Host <host>-radio
Hostname <hostname>
User <mpd-user>
Port <meme-number>
Identityfile ~/.ssh/<host>-radio
IdentitiesOnly yes # here's where forcing it to ignore the ssh agent comes in useful
```
On my MPD server, I have the following in `~/.ssh/authorized_keys`:
