75

Is it possible with ssh to allow passwords from a certain user, but deny using passwords for everybody else?

Basically I want to allow password auth for user justin but everybody else must use public keys.

PasswordAuthentication no

Seems to be global though, no way to specify by user.

Justin
  • 5,008
  • 19
  • 58
  • 82
  • 3
    Why? If you're the administrator of the server, your account ought to be protected just as much as the rest of the users, if not more so. – EEAA Sep 01 '11 at 22:49
  • 3
    This question [how to disable SSH login with password for some users?](http://serverfault.com/questions/285800/how-to-disable-ssh-login-with-password-for-some-users) has the answer you want. – Zoredache Sep 01 '11 at 22:50
  • When I try and use the match syntax, Match User justin PasswordAuthentication yes I am getting Bad configuration option: Match when I restart sshd. – Justin Sep 01 '11 at 22:57
  • 3
    Wow, how old is your SSH? – womble Sep 01 '11 at 23:01
  • CentOS 5.6, looks to be: OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008. There inst an update in yum. – Justin Sep 01 '11 at 23:06
  • The changelog (http://www.openssh.org/txt/release-4.4) seems to indicate that this is a 4.4 and above feature. – Zoredache Sep 01 '11 at 23:25
  • So I do have to build openssh from source, or is there a yum repo I can add, and do yum update? – Justin Sep 01 '11 at 23:48
  • Look at the sshd_config man page, and look at the section for the Match directive. – cjc Sep 01 '11 at 22:42

1 Answers1

99

Necromancing, but adding the following to your sshd_config should do the trick:

Match User <username>
PasswordAuthentication yes
Match all

Note that match is effective "until either another Match line or the end of the file." (The indentation isn't significant.)

Charles L.
  • 123
  • 5
T0xicCode
  • 1,181
  • 9
  • 11
  • 14
    You can also do a `Match Group ` if you want to use a common group to manage the password-allowed users ([see this link](http://security.stackexchange.com/a/18038/52494)). Remember to restart ssh, which you can do in Ubuntu with `sudo service ssh restart`. :) – ADTC Jan 02 '16 at 10:52
  • 9
    You want to end the Match block with "Match all" – AdamG May 03 '18 at 18:20
  • 3
    It didn't work for me... – Dimitrios May 23 '19 at 10:27