how to disable SSH login with password for some users?

ssh password linux login

On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.

edit: thanks a lot for detailed answer! For some reason this does not work on my server:

Match User !root
PasswordAuthentication no

...but can be easily replaced by

PasswordAuthentication no
Match User root
PasswordAuthentication yes

Solution 1:

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Solution 2:

Match in sshd_config works well. You should use Match all to end the match block if you're using openssh 6.5p1 or above. Example:

PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all

Solution 3:

There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.

Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.

Solution 4:

Due to some security reason, you may require to block certain user SSH access to Linux box.

Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.

Open the file up while logged on as root:

# vi /etc/ssh/sshd_config

Insert a line to end of the config file:-

DenyUsers username1 username2 username3 username4

Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.

Run below command to restart the same:-

# systemctl restart sshd

The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"

Related

How do you restart php-fpm?
Good tools that fit on a thumb drive [closed]
How to create a UUID in bash?
How to reconnect to a disconnected ssh session
Why couldn't MAC addresses be used instead of IPv4|6 for networking? [closed]
What is a challenge password?
Should I quit using Ifconfig?
Possible to change email address in keypair?
"Add correct host key in known_hosts" / multiple ssh host keys per hostname?
Physically locating the server
hosts file ignored, how to troubleshoot?
When does /tmp get cleared?