configure OpenSSH to prefer public key auth, fall back to empty password auth

ssh public-key

IIUC you want to use same use account for people who either login via ssh key or without any password, and you want to distinguish between these two authentication methods.

IMO this is doable like this, first server part:

$ sshd --help 2>&1 | sed -n '2p'
OpenSSH_7.9, LibreSSL 2.8.2
$ grep ^Expose /etc/ssh/sshd_config                                                                               
ExposeAuthInfo yes

$ man sshd_config | col -b | sed -n '/ExposeAuthInfo/,/^$/p'
     ExposeAuthInfo
             Writes a temporary file containing a list of authentication
             methods and public credentials (e.g. keys) used to authenticate
             the user.  The location of the file is exposed to the user
             session through the SSH_USER_AUTH environment variable.  The
             default is no.

You would also need to tune sshd_config for your password-less logins. I would recommend to use something like this, keep PermitEmptyPasswords no in global part of the config file!

Match User specialuser
    PermitEmptyPasswords yes
    AuthenticationMethods publickey none
    ForceCommand /path/to/wrapper

And let's make a test wrapper (to make it easy I put it into ~/.ssh/authorized_keys for now)...

$ grep ^command $HOME/.ssh/authorized_keys
command="$HOME/test.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILleQxrJU7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ cat ~/test.sh
#!/bin/sh
set -x
printenv | egrep "^(SSH_ORIGINAL_COMMAND|SSH_USER_AUTH)"

if [[ -r ${SSH_USER_AUTH} ]]; then
    cat ${SSH_USER_AUTH}
    if grep -q ^publickey ${SSH_USER_AUTH} ; then
        echo "XXX I've logged with a public key!"
    else
        echo "XXX I've NOT logged with a public key!"
    fi
fi

if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then
    exec ${SHELL}
else
    exec ${SHELL} -c "${SSH_ORIGINAL_COMMAND}"
fi

Let's try to ssh with a public key.

$ ssh -l specialuser remote_server
+ printenv
+ egrep ^(SSH_ORIGINAL_COMMAND|SSH_USER_AUTH)
SSH_USER_AUTH=/tmp/sshauth.UTmBQYIadWVem97
+ cat /tmp/sshauth.UTmBQYIadWVem97
publickey ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILleQxrxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ grep -q ^publickey /tmp/sshauth.UTmBQYIadWVem97
+ echo XXX I've logged with a public key!
XXX I've logged with a public key!
+ exec /bin/ksh
$

I'm not going to test password-less login for you but I think we have all parts needed here ;)

Related

Linux arp cache timeout values
Linux: Connect to another a terminal session
The recycle bin on (shared, redirected My Pictures/My Videos) folder is corrupted
Automatically assign elastic IP to ec2 spot instance with user data script
How would one run a task sequence within a task sequence in SCCM 2012 SP1
Nginx reverse proxying to HTTPS upstream getting 502 Bad Gateway?
OpenBSD default gateway outside subnet
How to check multiple CRL lists with nginx client authentication?
What are my prospects of recovering old version of file on BTRFS
sshd logging attempts to login without a private key
ElasticSearch Server Randomly Stops Working
SPDY & Nginx upload issues