Is it possible to force specific users to login with public key, while allowing other users to login with password? Since public key authentication (with passphrase) is stronger than password-only authentication, we would like to require sudoers to login with public key. However, it is less convenient to force normal users to do so. In sshd_config, I don't see any policy-related configuration.
Add a comment |
2 Answers
You have a few options. In this answer I'm going to assume you have a sudoers group defined.
Take a look at the sshd_config man page, and look for the Match directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:
Match Group sudoers PasswordAuthentication no ChallengeResponseAuthentication no You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the sudoers group. This would probably involve the pam_succeed_if module...you could add something like this to your auth config for sshd:
auth requisite pam_succeed_if.so user notingroup sudoers quiet This means that only people not in the sudoers group can authentication via PAM. Note that this is untested. You could also use the pam_listfile module to do something similar.
- 1Thanks! I must also note that the Match directive is introduced in OpenSSH 5.0. For conservative distributions like CentOS, it may not be available natively.Reci– Reci2011-02-23 08:44:46 +00:00Commented Feb 23, 2011 at 8:44
- 2This breaks OpenSSH 7.7p1 - I had to remove the ChallengeResponseAuthentication directive in order to get it to restart.rbsec– rbsec2018-09-12 15:11:19 +00:00Commented Sep 12, 2018 at 15:11
Another possible answer, as @larsks, answer did not work for my version of ssh_d as my version seems to be using the documentation found here which states:
Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are . . .
That list of keywords does not include: ChallengeResponseAuthentication.
A really fun way I found was to use AuthenticationMethods which in your case would work like so:
Match Group sudoers AuthenticationMethods "publickey" AuthenticationMethods takes a list of comma separated values which represent a series of methods a user must pass before accessing the server.
AuthenticationMethods "publickey,password" would force the user to pass with a public key and then a password.
To read more man sshd_config.
