194

On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.

edit: thanks a lot for detailed answer! For some reason this does not work on my server:

Match User !root
PasswordAuthentication no

...but can be easily replaced by

PasswordAuthentication no
Match User root
PasswordAuthentication yes
Stepan
  • 2,159

6 Answers6

211

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

gkop
  • 103
Cakemox
  • 25,549
  • 7
  • 45
  • 67
  • 4
    prefer Match user !root for this case – 84104 Jun 30 '11 at 16:41
  • 1
    Awesome, I didn't know about the Match syntax. One suggestion I would make, though, is if this is a public facing server, I wouldn't allow root login through SSH at all. Probably not a huge deal if it's Internal though.. – Safado Jun 30 '11 at 17:47
  • I wouldn't allow root login through SSH at all - We use strong root password so this is not real security weakness. – Stepan Jul 04 '11 at 18:35
  • Strong or not, it can be brute-forced. – SpacemanSpiff Jul 04 '11 at 19:19
  • 4
    @SpacemanSpiff That's what a) strong passwords and b) denyhosts/fail2ban are for. – ceejayoz Jul 04 '11 at 19:56
  • 1
    @ceejayoz In the context of SSH, I'd suggest that's what a key-based login is for. Usually root login is unavoidable for admins who don't have physical access to their servers, very common in smaller scale web applications. – deed02392 Jul 05 '13 at 12:27
  • 2
    @deed02392 You can consider a key to be a really, really strong password if you like. – ceejayoz Jul 05 '13 at 13:26
  • 4
    It's so much stronger it's not in the same ball-park, that was my point. Password authentication should be disabled for root too and keys only allowed for logins. – deed02392 Jul 06 '13 at 11:49
  • 1
    From a practical standpoint, really strong passwords (no dict words, length >= 15 chars, mixed chars, etc.) cannot be brute forced over SSH (way too slow, would take a million years to crack). If you have the /etc/shadow file and a beastly rainbow table then you might be able to, but even then probably not. That being said, a really hard password usually gets written down... – Freedom_Ben Feb 05 '14 at 22:13
  • 1
    Also note: Put these lines to the end (!) of the file /etc/ssh/sshd_config and reload the SSH config: sudo /etc/init.d/ssh reload – rashid Jul 17 '12 at 13:44
  • 1
    Quite important in order to avoid errors such as: Directive XYZ is not allowed within a Match block. – pl1nk Oct 26 '12 at 15:41
  • I need "only sftp, no ssh", it will block also sftp? – Peter Krauss Nov 09 '16 at 21:57
  • @ceejayoz No matter how strong a password you choose, it will not give you the security of key based authentication. That's because the key validation actually providers an extra layer of defence against mitm attacks, which you will not get with a stronger password. – kasperd Nov 27 '16 at 23:59
  • didn't work for me, ssh would not restart with the above block anywhere in the file – Jonathan Feb 17 '17 at 21:10
  • 1
    As per Trevor Hateley's answer, you'll probably need Match all on a new line afterwards, otherwise sshd will attempt to treat the remainder of the file as part of your block, and either refuse to restart with the Directive Foo is not allowed errors, or worse, start silently, but apply subsequent settings to the wrong people. – William Turrell Mar 18 '19 at 15:13
  • BTW nowadays this will not disable password authentication as long as you have "ChallengeResponseAuthentication yes". And unfortunately ChallengeResponseAuthentication cannot be included in a "Match" block. – Cris70 Jan 23 '24 at 11:22
36

Match in sshd_config works well. You should use Match all to end the match block if you're using openssh 6.5p1 or above. Example:

PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all
Trevor Hateley
  • 461
3

Due to some security reason, you may require to block certain user SSH access to Linux box.

Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.

Open the file up while logged on as root:

# vi /etc/ssh/sshd_config

Insert a line to end of the config file:-

DenyUsers username1 username2 username3 username4

Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.

Run below command to restart the same:-

# systemctl restart sshd

The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"

Gerald Schneider
  • 25,025
  • 8
  • 61
  • 90
Everdata technologies
  • 49
2

There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.

Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.

mitchellhislop
  • 137
0

The order of config-statements counts ... my solution to the file

/etc/ssh/sshd_config:

Match User <username> 
PasswordAuthentication yes
Match User all
PasswordAuthentication no
Michael Hampton
  • 247,473
HansV
  • 1
-1

you can simply go to /etc/ssh/sshd_config file and add a line To allow --> AllowUsers user1 To Deny ---> DenyUsers user2

we can allow/deny login for a particular set of hosts using the hosts.allow or hosts.deny files located in /etc folder

Sharan
  • 9