Restrict password based SSH access per user but allow key authentication

Question

Is it possible to disable PASSWORD SSH access to user but to allow Key authentication on a per user basis ? I mean, I have a userA whom I don't want to give Password based access BUT I wan't him to only use key authentication to access the server(s). Thanks

Possible duplicate of how to disable SSH login with password for some users? — Josip Rodin, Apr 04 '17 at 12:41

score 52 · Accepted Answer · edited Aug 26 '17 at 17:39

52

You can add "Match" sections to match on particular users or groups at the bottom of sshd_config, like:

Match user stew
PasswordAuthentication no

or

Match group dumbusers
PasswordAuthentication no

edited Aug 26 '17 at 17:39

peterh

4,971

answered May 08 '12 at 15:23

stew

9,498

9

I would avoid indenting as it suggests that only the indented lines are affected by Match when in reality, all configuration is affected until the next Match directive. Could be confusing to someone not familiar with with the syntax. – Michael Mior Dec 29 '13 at 07:25
2

@MichaelMior is there a way to "EndMatch"? – Nick T Feb 07 '17 at 20:16
4

@NickT Match works up until the next Match or Host keyword. You could just use Match user *. – Michael Mior Feb 08 '17 at 13:05
@MichaelMior Does this mean that if you use Match user ZaQwEdCxS, you could render a set of configuration lines usable by nobody, temporarily or permanently? – Tripp Kinetics May 11 '18 at 20:16
It would mean that all configuration lines after that would only apply to users named ZaQwEdCxS. If you have a different question though, you should ask a new question. – Michael Mior May 12 '18 at 21:47
Another way for formatting is to indent, but put a Match all at the bottom of the block so the rest of the file is back to being global. – KJ7LNW Oct 31 '23 at 21:00

score 4 · Answer 2 · edited May 09 '16 at 11:23

4

Just lock the passwords of the users you don't want to log in with passwords:

usermod -L <user>

Then, place a valid public key in their .ssh/authorized_keys file and they will be only able to log in with the corresponding private key, but not with a password.

Note: This will break sudo unless the user has NOPASSWD: in their visudo entry

edited May 09 '16 at 11:23

Tom Koch

43

answered May 08 '12 at 15:23

Oliver

6,028

8

That also will break sudo. Perhaps not an issue in this case, but it bears mention. – EEAA May 08 '12 at 15:25
Yes, that is true. I should have mentioned it. – Oliver May 08 '12 at 15:26
1

Some OpenSSH setups (e.g. i think Ubuntu 14.04 in default config) do not let locked users in, not even via authorized_keys – Nils Toedtmann Sep 18 '14 at 12:38
@NilsToedtmann can you cite a source for verification? This would be very important to note in the answer, as well, if so. – Metagrapher Sep 23 '15 at 02:06

score -3 · Answer 3 · answered May 08 '12 at 15:19

-3

you should look into

/etc/ssh/sshd_config

I think what you're looking for is

PasswordAuthentication yes

change it to no and don't forget to restart sshd

answered May 08 '12 at 15:19

alexus

13,374

2

I'm aware of this - this is a GLOBAL settings though - I want more granular option - that's why I said "per-user basis" - I want this only for some users (used for innercluster communication between the servers in the cluster) - not for all users – milosgajdos May 08 '12 at 15:22
oh right, i'm sorry i didn't read it correctly then what @stew recommended is a way to go – alexus May 08 '12 at 15:57

Restrict password based SSH access per user but allow key authentication

3 Answers3

Linked