Force SSH public key authentication for specific users
Solution 1:
You have a few options. In this answer I'm going to assume you have a sudoers
group defined.
Take a look at the sshd_config
man page, and look for the Match
directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:
Match Group sudoers
PasswordAuthentication no
ChallengeResponseAuthentication no
You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the sudoers
group. This would probably involve the pam_succeed_if module...you could add something like this to your auth
config for sshd:
auth requisite pam_succeed_if.so user notingroup sudoers quiet
This means that only people not in the sudoers
group can authentication via PAM. Note that this is untested. You could also use the
pam_listfile module to do something similar.
Solution 2:
Another possible answer, as @larsks, answer did not work for my version of ssh_d
as my version seems to be using the documentation found here which states:
Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are . . .
That list of keywords does not include: ChallengeResponseAuthentication
.
A really fun way I found was to use AuthenticationMethods
which in your case would work like so:
Match Group sudoers
AuthenticationMethods "publickey"
AuthenticationMethods
takes a list of comma separated values which represent a series of methods a user must pass before accessing the server.
AuthenticationMethods "publickey,password"
would force the user to pass with a public key and then a password.
To read more man sshd_config
.