how to disable SSH login with password for some users?

Question

On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.

edit: thanks a lot for detailed answer! For some reason this does not work on my server:

Match User !root
PasswordAuthentication no

...but can be easily replaced by

PasswordAuthentication no
Match User root
PasswordAuthentication yes

score 217 · Accepted Answer · edited Nov 14 '14 at 23:26

217

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

edited Nov 14 '14 at 23:26

gkop

103
5

answered Jun 30 '11 at 16:13

Cakemox

26,021

Trevor Hateley · Answer 2 · 2016-11-27T22:19:59.327

38

Match in sshd_config works well. You should use Match all to end the match block if you're using openssh 6.5p1 or above. Example:

PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all

edited Nov 27 '16 at 22:19

answered Nov 27 '16 at 22:13

Trevor Hateley

481

score 4 · Answer 3 · edited May 07 '19 at 06:57

Due to some security reason, you may require to block certain user SSH access to Linux box.

Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.

Open the file up while logged on as root:

# vi /etc/ssh/sshd_config

Insert a line to end of the config file:-

DenyUsers username1 username2 username3 username4

Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.

Run below command to restart the same:-

# systemctl restart sshd

The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"

score 3 · Answer 4 · edited Sep 22 '21 at 16:55

3

The order of config-statements counts ... my solution to the file

/etc/ssh/sshd_config:

Match User <username> 
PasswordAuthentication yes
Match User all
PasswordAuthentication no

edited Sep 22 '21 at 16:55

Michael Hampton

252,907

answered Sep 22 '21 at 16:32

HansV

31

score 2 · Answer 5 · answered Jun 30 '11 at 15:42

There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.

Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.

score 0 · Answer 6 · answered Mar 04 '16 at 06:10

0

you can simply go to /etc/ssh/sshd_config file and add a line To allow --> AllowUsers user1 To Deny ---> DenyUsers user2

we can allow/deny login for a particular set of hosts using the hosts.allow or hosts.deny files located in /etc folder

answered Mar 04 '16 at 06:10

Sharan

19

how to disable SSH login with password for some users?

6 Answers6

Linked

Related