how to disable SSH login with password for some users?
On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.
edit: thanks a lot for detailed answer! For some reason this does not work on my server:
Match User !root
PasswordAuthentication no
...but can be easily replaced by
PasswordAuthentication no
Match User root
PasswordAuthentication yes
Solution 1:
Try Match
in sshd_config
:
Match User user1,user2,user3,user4
PasswordAuthentication no
Or by group:
Match Group users
PasswordAuthentication no
Or, as mentioned in the comment, by negation:
Match User !root
PasswordAuthentication no
Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)
Solution 2:
Match
in sshd_config
works well. You should use Match all
to end the match block if you're using openssh 6.5p1 or above. Example:
PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all
Solution 3:
There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.
Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.
Solution 4:
Due to some security reason, you may require to block certain user SSH access to Linux box.
Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.
Open the file up while logged on as root:
# vi /etc/ssh/sshd_config
Insert a line to end of the config file:-
DenyUsers username1 username2 username3 username4
Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.
Run below command to restart the same:-
# systemctl restart sshd
The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"