Best way to restrict some SSH users to publickey authentication only (disable password authentication)
There's a nice summary of the difference between ChallengeResponseAuthentication
and KbdInteractiveAuthentication
at
http://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html - summary is that ChallengeResponse often ends up just asking for password (but insists on it being supplied interactively).
KbdInteractiveAuthentication
and ChallengeResponseAuthentication
are different things. It's just that ChallengeResponseAuthentication
can end up just prompting for a password in simple cases.
ChallengeResponseAuthentication
is a global setting and can't be specified within a Match
clause - see the sshd_config
man page for details.
Explicitly specifying AuthenticationMethods publickey
for the git
user should work fine and is better than than disabling the ones you don't want (as the list could change).
The gssapi
options come into play if you're working in a Kerberos
environment (such as an Active Directory domain).