Restrict password based SSH access per user but allow key authentication

Question

Is it possible to disable PASSWORD SSH access to user but to allow Key authentication on a per user basis ? I mean, I have a userA whom I don't want to give Password based access BUT I wan't him to only use key authentication to access the server(s). Thanks

score 52 · Accepted Answer · edited Aug 26 '17 at 17:39

52

You can add "Match" sections to match on particular users or groups at the bottom of sshd_config, like:

Match user stew
PasswordAuthentication no

or

Match group dumbusers
PasswordAuthentication no

edited Aug 26 '17 at 17:39

peterh

5,017

answered May 08 '12 at 15:23

stew

9,588

score 4 · Answer 2 · edited May 09 '16 at 11:23

4

Just lock the passwords of the users you don't want to log in with passwords:

usermod -L <user>

Then, place a valid public key in their .ssh/authorized_keys file and they will be only able to log in with the corresponding private key, but not with a password.

Note: This will break sudo unless the user has NOPASSWD: in their visudo entry

edited May 09 '16 at 11:23

Tom Koch

43

answered May 08 '12 at 15:23

Oliver

6,076

score -3 · Answer 3 · answered May 08 '12 at 15:19

-3

you should look into

/etc/ssh/sshd_config

I think what you're looking for is

PasswordAuthentication yes

change it to no and don't forget to restart sshd

answered May 08 '12 at 15:19

alexus

13,667

Restrict password based SSH access per user but allow key authentication

3 Answers3

Linked