Creating user specific authentication methods in SSH

You can use Match in sshd_config to select individual users to alter the PasswordAuthentication directive for. Enter these Match rules at the bottom of sshd_config file ( generally /etc/ssh/sshd_config )

Match User root,foo,bar
    PasswordAuthentication no
Match User Rishee
    PasswordAuthentication yes

This would give root, foo and bar key authentication, and Rishee password authentication.

An alternative is to match by negation, like this:

PasswordAuthentication no
Match User *,!root
    PasswordAuthentication yes

In this case, everyone except root gets password authentication.

Note: The *, syntax is necessary, as wildcard and negation syntax is only parsed in comma-separated lists.

You can also match by group:

Match Group usergroup
    PasswordAuthentication no

Reason for entering Match at the bottom of the file:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another >Match line or the end of the file

You can enable password and key-authentication at the same time, they are not exclusive.

Creating user specific authentication methods in SSH

Tags:

Authentication

Ssh

Server

Key Management

Key Generation

Related

Recent Posts