198

On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.

edit: thanks a lot for detailed answer! For some reason this does not work on my server:

Match User !root PasswordAuthentication no

...but can be easily replaced by

PasswordAuthentication no Match User root PasswordAuthentication yes
Improve this question
6
  • Maybe it's because of your indentation? Commented Jan 30, 2013 at 7:19
  • 8
    It's worth mentioning that those lines under match should be at the end of the file Commented Dec 25, 2013 at 1:29
  • 2
    !root also doesn't work for me. The second approach did the trick. Commented Jun 5, 2015 at 18:25
  • 1
    I've seen cases where Match User "!root,*" did the job. Commented Jun 5, 2017 at 14:58
  • 3
    Apropos of nothing, allowing password authentication for root is a very bad idea security-wise. Commented Nov 10, 2022 at 22:44

6 Answers 6

Reset to default
217

Try Match in sshd_config:

Match User user1,user2,user3,user4 PasswordAuthentication no

Or by group:

Match Group users PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Improve this answer
16
  • 6
    prefer Match user !root for this case Commented Jun 30, 2011 at 16:41
  • 4
    @SpacemanSpiff That's what a) strong passwords and b) denyhosts/fail2ban are for. Commented Jul 4, 2011 at 19:56
  • 2
    @deed02392 You can consider a key to be a really, really strong password if you like. Commented Jul 5, 2013 at 13:26
  • 4
    It's so much stronger it's not in the same ball-park, that was my point. Password authentication should be disabled for root too and keys only allowed for logins. Commented Jul 6, 2013 at 11:49
  • 2
    As per Trevor Hateley's answer, you'll probably need Match all on a new line afterwards, otherwise sshd will attempt to treat the remainder of the file as part of your block, and either refuse to restart with the Directive Foo is not allowed errors, or worse, start silently, but apply subsequent settings to the wrong people. Commented Mar 18, 2019 at 15:13
38

Match in sshd_config works well. You should use Match all to end the match block if you're using openssh 6.5p1 or above. Example:

PasswordAuthentication no Match User root PasswordAuthentication yes Match all
Improve this answer
4
  • 2
    "Match all" did the trick. Thank you. Without "Match all" sshd fails to start. Commented Oct 10, 2019 at 20:24
  • This does not work on Ubuntu 20.04. Commented Jun 16, 2020 at 17:13
  • 1
    It is working now after putting in /etc/ssh/sshd_config instead of /etc/ssh/sshd_config.d. Commented Jun 16, 2020 at 17:22
  • 1
    "Match all" made it work for me. Without "Match all" in the end, the ssh and sshd services were failing to restart. Commented May 17, 2021 at 9:27
4

Due to some security reason, you may require to block certain user SSH access to Linux box.

Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.

Open the file up while logged on as root:

# vi /etc/ssh/sshd_config

Insert a line to end of the config file:-

DenyUsers username1 username2 username3 username4

Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.

Run below command to restart the same:-

# systemctl restart sshd

The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"

Improve this answer
1
  • 1
    The question was about disabling password login (but keeping login with key authentication). Commented May 7, 2019 at 6:57
3

The order of config-statements counts ... my solution to the file

/etc/ssh/sshd_config:

Match User <username> PasswordAuthentication yes Match User all PasswordAuthentication no
Improve this answer
1
  • See formatting help to learn how to add formatting to your posts. Commented Sep 22, 2021 at 16:55
2

There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.

Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.

Improve this answer
0

you can simply go to /etc/ssh/sshd_config file and add a line To allow --> AllowUsers user1 To Deny ---> DenyUsers user2

we can allow/deny login for a particular set of hosts using the hosts.allow or hosts.deny files located in /etc folder

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.