Back to Documentation
Debian 12

Enabling SSH Password Authentication on Debian 12 Cloud Images (via NoVNC Console)

October 15, 2025 7 months ago

Enabling SSH Password Authentication on Debian 12 Cloud Images (via NoVNC Console)

By default, Debian 12 cloud images are configured for key-based SSH authentication onlypassword login is disabled for security reasons. This ensures that freshly deployed instances are protected against brute-force and credential-guessing attacks.

However, in some cases (for example, during initial troubleshooting, legacy system integration, or when using environments that don’t yet support SSH keys), you might need to temporarily enable password authentication.

This tutorial walks you through enabling it safely using the NoVNC web console as root.

⚠️ Security warning: Password authentication is inherently less secure than key-based SSH. Enable it only when necessary and revert once your work is done. If left enabled, use strong passwords, fail2ban, and firewall restrictions.

Overview of Steps

  1. Connect to your instance’s NoVNC console
  2. Switch to root if necessary
  3. Back up your SSH configuration
  4. Edit /etc/ssh/sshd_config to enable passwords
  5. Test the configuration
  6. Restart the SSH service
  7. Verify SSH access from another client
  8. (Optional) Harden your setup

Step 1: Open the NoVNC Console

Virtnet.bond provides a NoVNC console within the server management panel. You may use it to log in even if SSH is not working.

Open it and log in as your main user (e.g. debian, ubuntu, or root).

If you’re not root, elevate privileges:

sudo -i

Step 2: Back Up the SSH Configuration

Before making changes, back up the existing SSH server configuration file:

cp -av /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-$(date +%F-%T)

Step 3: Edit /etc/ssh/sshd_config

Use your preferred text editor (nano is easiest for beginners):

nano /etc/ssh/sshd_config

Now find and update the following directives:

PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
💡 Tip: Lines starting with # are comments. Remove the # to uncomment them.

If you also want to allow the root user to log in with a password (⚠️ high risk), find or add this line:

PermitRootLogin yes

Otherwise, leave it as:

PermitRootLogin prohibit-password

Save and exit (Ctrl + O, Enter, Ctrl + X).

Alternative: Use sed (non-interactive edit)

If you prefer not to use an editor:

sed -i.bak -E 's/^\s*#?\s*PasswordAuthentication\s+.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i -E 's/^\s*#?\s*ChallengeResponseAuthentication\s+.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
sed -i -E 's/^\s*#?\s*UsePAM\s+.*/UsePAM yes/' /etc/ssh/sshd_config

(Optional, for root login):

sed -i -E 's/^\s*#?\s*PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config

Step 4: Ensure the Root Account Has a Password (if needed)

If you intend to log in as root using a password, make sure the account has one:

passwd root

Enter and confirm a strong password.

Step 5: Test the SSH Configuration

Before restarting the SSH daemon, always check the configuration syntax:

sshd -t

If there’s no output, the syntax is correct.
If you see errors, fix the issues or restore the backup:

cp /etc/ssh/sshd_config.bak-* /etc/ssh/sshd_config

Step 6: Restart the SSH Service

Restart the SSH daemon to apply the changes:

systemctl restart ssh

Check its status:

systemctl status ssh --no-pager

If it’s active (running) — you’re good.

Step 7: Test SSH Login from Another Machine

Now, from a separate client system (not your NoVNC console), test logging in with a password:

ssh user@your_server_ip

Or, if you enabled root login:

ssh root@your_server_ip

Keep the NoVNC console open until you’ve confirmed it works — just in case you need to revert.

Step 8: Harden the Server (Highly Recommended)

If you must keep password login enabled:

  • Use a strong password (16+ characters, mix of symbols/numbers)
  • 🚫 Disable root login again after use:
  • sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
systemctl restart ssh
  • 🔒 Limit SSH access by IP in your cloud firewall or security group
  • 🧱 Install fail2ban to block repeated login attempts:
  • apt update && apt install -y fail2ban
  • 🔁 Revert to key-only auth when finished

Reverting to Secure Defaults

To revert your SSH configuration to the previous secure state:

cp -av /etc/ssh/sshd_config.bak-* /etc/ssh/sshd_config
sshd -t && systemctl restart ssh


↑↓ navigate select
⌘K to toggle