SSH Allow Password For One User, Rest Only Allow Public Keys

Question

Is it possible with ssh to allow passwords from a certain user, but deny using passwords for everybody else?

Basically I want to allow password auth for user justin but everybody else must use public keys.

PasswordAuthentication no

Seems to be global though, no way to specify by user.

Why? If you're the administrator of the server, your account ought to be protected just as much as the rest of the users, if not more so. — EEAA, Sep 01 '11 at 22:49
This question how to disable SSH login with password for some users? has the answer you want. — Zoredache, Sep 01 '11 at 22:50
When I try and use the match syntax, Match User justin PasswordAuthentication yes I am getting Bad configuration option: Match when I restart sshd. — Justin, Sep 01 '11 at 22:57
CentOS 5.6, looks to be: OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008. There inst an update in yum. — Justin, Sep 01 '11 at 23:06
The changelog (http://www.openssh.org/txt/release-4.4) seems to indicate that this is a 4.4 and above feature. — Zoredache, Sep 01 '11 at 23:25
So I do have to build openssh from source, or is there a yum repo I can add, and do yum update? — Justin, Sep 01 '11 at 23:48
Look at the sshd_config man page, and look at the section for the Match directive. — cjc, Sep 01 '11 at 22:42

score 115 · Answer 1 · edited Aug 18 '21 at 21:24

115

Necromancing, but adding the following to your sshd_config should do the trick:

Match User <username>
PasswordAuthentication yes
Match all

Note that match is effective "until either another Match line or the end of the file." (The indentation isn't significant.)

edited Aug 18 '21 at 21:24

Charles L.

answered May 28 '15 at 14:35

T0xicCode

14

You can also do a Match Group <groupname> if you want to use a common group to manage the password-allowed users (see this link). Remember to restart ssh, which you can do in Ubuntu with sudo service ssh restart. :) – ADTC Jan 02 '16 at 10:52

1 Answers1