30
  1. I have configured sshd on an Ubuntu server to use key authentication and it is working fine.
  2. I had to disable password authentication for key authentication to work.
  3. Server is always accessed via remote terminals or putty.

Now all user accounts are able to login with the authentication key and passphrase. But now I want to create only one new user without key authentication. So how should I go about doing this in such a way that does not hamper other users who are using key authentication.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Hrish
  • 411
  • 1
  • 4
  • 6
  • It is not correct that you must disable password authentication for key authentication to work. However, disabling password authentication is usually a good thing anyway (unless you have a lot of trust in your users to choose excellent passwords -- and possibly even then). In any case, you have received good answers about how to disable password authentication for all but a single user, and that is probably the right strategy to follow. – D.W. Aug 21 '12 at 06:51

2 Answers2

60

You can use Match in sshd_config to select individual users to alter the PasswordAuthentication directive for. Enter these Match rules at the bottom of sshd_config file ( generally /etc/ssh/sshd_config )

Match User root,foo,bar
    PasswordAuthentication no
Match User Rishee
    PasswordAuthentication yes

This would give root, foo and bar key authentication, and Rishee password authentication.

An alternative is to match by negation, like this:

PasswordAuthentication no
Match User *,!root
    PasswordAuthentication yes

In this case, everyone except root gets password authentication.

Note: The *, syntax is necessary, as wildcard and negation syntax is only parsed in comma-separated lists.

You can also match by group:

Match Group usergroup
    PasswordAuthentication no

Reason for entering Match at the bottom of the file:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another >Match line or the end of the file

Edward Ned Harvey
  • 103
  • 2
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 2
    I didn't even know that was possible, cool :D – Lucas Kauffman Aug 02 '12 at 11:19
  • @Polynomial I created a user called auditor with a password and then I updated the /etc/ssh/sshd_config with the below entry. :
    Match User auditor PasswordAuthentication yes
    then tried to connect to the server with putty it said server refused connection No authentication method supported.     – Hrish Aug 02 '12 at 12:07
  • I'd need to see the full set of authentication rules to help really. Could you stick it on a [pastebin](http://pastebin.com/) for me? Though, at this point, your question might be better suited to [Ask Ubuntu](http://askubuntu.com/). – Polynomial Aug 02 '12 at 12:12
  • @Polynomial [Pastbin for sshd_config](http://pastebin.com/q70D4Ww1) I have also asked it on askubuntu + Superuser + ServerFault – Hrish Aug 02 '12 at 13:06
  • Try inverting the way you've written it -> http://pastebin.com/h5bgWFrr – Polynomial Aug 02 '12 at 13:16
  • 1
    @Rishee you need to restart sshd for the changes to take effect. – Maerlyn Aug 02 '12 at 14:56
  • @Maerlyn I do that after every change... but thanks :) – Hrish Aug 02 '12 at 15:02
  • 1
    There's an error in your answer. You can't use `Match User !root` You have to use `Match User *,!root` – Edward Ned Harvey Oct 04 '16 at 16:55
  • @EdwardNedHarvey This answer is 4 years old, it may have changed since then. Feel free to propose an edit. – Polynomial Oct 07 '16 at 19:14
  • 1
    Pretty sure I just proposed an edit. The line `Match User !root` doesn't work, because you need to put the `*,` in there. – Edward Ned Harvey Oct 07 '16 at 23:18
  • 1
    @EdwardNedHarvey I meant an actual edit proposal through the StackExchange functionality. – Polynomial Oct 08 '16 at 14:55
  • For those who are also wondering: a match block can be ended with `Match all`. – max Feb 19 '17 at 16:25
  • This is great, I used it for AuthenticationMethods and it works like a charm. – lucasart May 15 '19 at 10:09
3

You can enable password and key-authentication at the same time, they are not exclusive.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • But they're not selective. (EG. Not multifactuor) It allows multiple single factors. Though redhat fixed [that](http://www.nzinfosec.com/redhat-adds-multi-factor-authentication-to-ssh/) – Ori Aug 03 '12 at 03:48