16

Is it possible to force specific users to login with public key, while allowing other users to login with password? Since public key authentication (with passphrase) is stronger than password-only authentication, we would like to require sudoers to login with public key. However, it is less convenient to force normal users to do so. In sshd_config, I don't see any policy-related configuration.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Reci
  • 263
  • 1
  • 2
  • 4

2 Answers2

14

You have a few options. In this answer I'm going to assume you have a sudoers group defined.

Take a look at the sshd_config man page, and look for the Match directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:

Match Group sudoers
PasswordAuthentication no
ChallengeResponseAuthentication no

You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the sudoers group. This would probably involve the pam_succeed_if module...you could add something like this to your auth config for sshd:

auth        requisite     pam_succeed_if.so user notingroup sudoers quiet

This means that only people not in the sudoers group can authentication via PAM. Note that this is untested. You could also use the pam_listfile module to do something similar.

larsks
  • 43,623
  • 14
  • 121
  • 180
  • 1
    Thanks! I must also note that the Match directive is introduced in OpenSSH 5.0. For conservative distributions like CentOS, it may not be available natively. – Reci Feb 23 '11 at 08:44
  • 2
    This breaks OpenSSH 7.7p1 - I had to remove the ChallengeResponseAuthentication directive in order to get it to restart. – rbsec Sep 12 '18 at 15:11
4

Another possible answer, as @larsks, answer did not work for my version of ssh_d as my version seems to be using the documentation found here which states:

Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are . . .

That list of keywords does not include: ChallengeResponseAuthentication.

A really fun way I found was to use AuthenticationMethods which in your case would work like so:

Match Group sudoers
AuthenticationMethods "publickey"

AuthenticationMethods takes a list of comma separated values which represent a series of methods a user must pass before accessing the server.

AuthenticationMethods "publickey,password" would force the user to pass with a public key and then a password.

To read more man sshd_config.

Suuuehgi
  • 113
  • 4
Breedly
  • 250
  • 2
  • 8