How to Enable Password Authentication for SSH on Amazon Linux AMI: Secure Configuration Guide


1 views

Amazon Linux AMI instances typically default to key-based authentication for SSH, which is more secure than password authentication. However, there are valid use cases where password authentication might be necessary during development or testing phases.

The main configuration file we need to modify is /etc/ssh/sshd_config. Here are the critical parameters that need attention:

# Enable password authentication
PasswordAuthentication yes

# If you need to allow root login (not recommended)
PermitRootLogin yes

# Change empty password policy if needed
PermitEmptyPasswords no

# PAM configuration
UsePAM no

Here's a complete working configuration that maintains security while allowing password authentication:

# Basic SSH settings
Port 22
Protocol 2
SyslogFacility AUTHPRIV

# Authentication settings
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

# Password authentication
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Key authentication fallback
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Other security settings
UsePAM yes
X11Forwarding yes
UseDNS no

1. Edit the SSH configuration file:

sudo vi /etc/ssh/sshd_config

2. Make the necessary changes (as shown above)

3. Restart the SSH service:

sudo service sshd restart
# Or for newer systems:
sudo systemctl restart sshd

For new users who need password access:

sudo useradd -m devuser
sudo passwd devuser
# Set password when prompted

If you must use password authentication, consider these additional security measures:

# Install fail2ban for brute force protection
sudo yum install fail2ban -y

# Configure custom SSH port
# Edit /etc/ssh/sshd_config:
Port 2222

If authentication fails after changes:

# Check auth logs
tail -f /var/log/secure

# Verify SELinux isn't blocking
sudo setenforce 0
# If this fixes it, adjust SELinux policies permanently

Remember to test your configuration from another terminal before closing your current SSH session to avoid locking yourself out.

The sshd_config file controls all aspects of SSH server behavior on Amazon Linux. The default configuration prioritizes security by enforcing key-based authentication, but there are legitimate cases where password authentication is required.


# Key parameters for password authentication:
PasswordAuthentication yes
PermitEmptyPasswords yes
ChallengeResponseAuthentication yes
UsePAM no

Before implementing password authentication, be aware that:

  • Brute force attacks become significantly easier
  • Password strength requirements become critical
  • Log monitoring becomes essential

Here's the complete process to enable password authentication:


# 1. Edit the SSH configuration
sudo vi /etc/ssh/sshd_config

# 2. Modify these parameters (add if they don't exist):
PasswordAuthentication yes
PermitRootLogin yes  # Warning: Only for testing, disable later
ChallengeResponseAuthentication yes
UsePAM no

# 3. Set or change password for your user
sudo passwd ec2-user

# 4. Restart SSH service
sudo service sshd restart
# Or for newer Amazon Linux versions:
sudo systemctl restart sshd

Verify the changes by attempting to connect from another terminal:


ssh ec2-user@your-server-ip
# You should now be prompted for a password instead of a key

If you must use password authentication, implement these additional measures:


# In /etc/ssh/sshd_config:
MaxAuthTries 3
LoginGraceTime 60
PermitRootLogin no  # After initial testing
PermitEmptyPasswords no  # After initial testing

If password authentication still doesn't work:

  • Check SELinux status: sudo sestatus
  • Verify PAM configuration: /etc/pam.d/sshd
  • Examine auth logs: sudo tail -f /var/log/secure

Remember that AWS security groups must allow inbound SSH (port 22) from your IP address for any of these configurations to work.