Restrict password based SSH access per user but allow key authentication

Question

Is it possible to disable PASSWORD SSH access to user but to allow Key authentication on a per user basis ? I mean, I have a userA whom I don't want to give Password based access BUT I wan't him to only use key authentication to access the server(s). Thanks

Possible duplicate of [how to disable SSH login with password for some users?](http://serverfault.com/questions/285800/how-to-disable-ssh-login-with-password-for-some-users) — Josip Rodin, Apr 04 '17 at 12:41

score 51 · Accepted Answer · edited Aug 26 '17 at 17:39

51

You can add "Match" sections to match on particular users or groups at the bottom of sshd_config, like:

Match user stew
PasswordAuthentication no

or

Match group dumbusers
PasswordAuthentication no

edited Aug 26 '17 at 17:39

peterh

4,953
13
30
44

answered May 08 '12 at 15:23

stew

9,388
1
30
43

9

I would avoid indenting as it suggests that only the indented lines are affected by `Match` when in reality, all configuration is affected until the next `Match` directive. Could be confusing to someone not familiar with with the syntax. – Michael Mior Dec 29 '13 at 07:25
2

@MichaelMior is there a way to "EndMatch"? – Nick T Feb 07 '17 at 20:16
4

@NickT `Match` works up until the next `Match` or `Host` keyword. You could just use `Match user *`. – Michael Mior Feb 08 '17 at 13:05
@MichaelMior Does this mean that if you use `Match user ZaQwEdCxS`, you could render a set of configuration lines usable by nobody, temporarily or permanently? – Tripp Kinetics May 11 '18 at 20:16
It would mean that all configuration lines after that would only apply to users named `ZaQwEdCxS`. If you have a different question though, you should ask a new question. – Michael Mior May 12 '18 at 21:47

score 4 · Answer 2 · edited May 09 '16 at 11:23

4

Just lock the passwords of the users you don't want to log in with passwords:

usermod -L <user>

Then, place a valid public key in their .ssh/authorized_keys file and they will be only able to log in with the corresponding private key, but not with a password.

Note: This will break sudo unless the user has NOPASSWD: in their visudo entry

edited May 09 '16 at 11:23

Tom Koch

33
4

answered May 08 '12 at 15:23

Oliver

5,973
24
33

8

That also will break sudo. Perhaps not an issue in this case, but it bears mention. – EEAA May 08 '12 at 15:25
Yes, that is true. I should have mentioned it. – Oliver May 08 '12 at 15:26
1

Some OpenSSH setups (e.g. i think Ubuntu 14.04 in default config) do not let locked users in, not even via authorized_keys – Nils Toedtmann Sep 18 '14 at 12:38
@NilsToedtmann can you cite a source for verification? This would be very important to note in the answer, as well, if so. – Metagrapher Sep 23 '15 at 02:06

score -3 · Answer 3 · answered May 08 '12 at 15:19

-3

you should look into

/etc/ssh/sshd_config

I think what you're looking for is

PasswordAuthentication yes

change it to no and don't forget to restart sshd

answered May 08 '12 at 15:19

alexus

13,112
32
117
174

2

I'm aware of this - this is a GLOBAL settings though - I want more granular option - that's why I said "per-user basis" - I want this only for some users (used for innercluster communication between the servers in the cluster) - not for all users – milosgajdos May 08 '12 at 15:22
oh right, i'm sorry i didn't read it correctly then what @stew recommended is a way to go – alexus May 08 '12 at 15:57

Restrict password based SSH access per user but allow key authentication

3 Answers3

Linked