4

I know that I can disable SSH authentication with clear text password for root user (using PermitRootLogin) and enable it for all other users. But I need to disable text passwords for some list of users (and keep only public keys authentication for they). For those, who don't included to list, I need to enable password authentication also.

So, how I can adjust different SSH policies for different users? In sshd_config I've found only 2 arguments:

PermitRootLogin without-password  # disable text password for root
PasswordAuthentication yes  # enable it for all other users

I'd like to have some dictionary-style configuration, for example:

user1Auth without-password
user2Auth without-password
user3Auth yes
...

P.S. My OS is Ubuntu 14.04.

Chris Johnson
  • 805
  • 6
  • 6
VeLKerr
  • 145
  • 6
  • Be aware that if you do that it will be possible for an attacker to start guessing usernames until they find one where password login is permitted. – kasperd Apr 30 '17 at 21:56

1 Answers1

8

You can use the Match User or Match Group directives:

Match Group usergroup
    PasswordAuthentication no

If you don't want to use groups, you can specify each user:

Match User user1,user2
    PasswordAuthentication yes

Match User user3
    PasswordAuthentication no

My preference is to never assign privileges directly to users (no matter the system), so I always use groups. This also carries the benefit that you can change group membership without needing to restart sshd.

If you do need to restart sshd, this can be done using systemd:

systemctl restart ssh.service

NB. This configuration lines must be written below all other configs in /etc/sshd_config.

Owl
  • 121
  • 6
EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thanks, but it doesn't work for me. 1) I set `PasswordAuthentication no` by default and after restart it works as supposed. 2) Than, bottom to this line, I add `Match Grop gr2017,gr49 PasswordAuthentication yes` and after restart ssh, I can't login to server (I'm getting "connection refused"). It seems, ssh doesn't start correctly. – VeLKerr Apr 30 '17 at 21:11
  • SSHd log says: `Received disconnect from : 11: disconnected by user`. – VeLKerr Apr 30 '17 at 21:24
  • You have a typo in "Group". – EEAA Apr 30 '17 at 21:37
  • That's typo only in a comment, not in config (in config I have other groups & users), so it can't affect the error. – VeLKerr Apr 30 '17 at 21:45
  • I solved the issue. Match-configs must be situated below all other configs. I'll update your answer. – VeLKerr Apr 30 '17 at 22:28