Force SSH public key authentication for specific users

Solution 1:

You have a few options. In this answer I'm going to assume you have a sudoers group defined.

Take a look at the sshd_config man page, and look for the Match directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:

Match Group sudoers
PasswordAuthentication no
ChallengeResponseAuthentication no

You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the sudoers group. This would probably involve the pam_succeed_if module...you could add something like this to your auth config for sshd:

auth        requisite     pam_succeed_if.so user notingroup sudoers quiet

This means that only people not in the sudoers group can authentication via PAM. Note that this is untested. You could also use the pam_listfile module to do something similar.

Solution 2:

Another possible answer, as @larsks, answer did not work for my version of ssh_d as my version seems to be using the documentation found here which states:

Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are . . .

That list of keywords does not include: ChallengeResponseAuthentication.

A really fun way I found was to use AuthenticationMethods which in your case would work like so:

Match Group sudoers
AuthenticationMethods "publickey"

AuthenticationMethods takes a list of comma separated values which represent a series of methods a user must pass before accessing the server.

AuthenticationMethods "publickey,password" would force the user to pass with a public key and then a password.

To read more man sshd_config.