I was wondering if it is possible to accomplish the following, all at the same time:
- Disable root logins
- Enable SSH login for personal user, only via SSH keys
- Enable SSH login for unprivileged user, with password authentication and two-factor authentication only
Using the Match
block in sshd_config
I was able to set this up so that in general PasswordAuthentication
was disabled except for the unprivileged user (lets call it peon
). SSH keys were required for logging in to the personal user (who has sudo capabilities).
However, when I try to enable two-factor authentication (pam_google_authenticator
) I have to turn on ChallengeResponseAuthentication
which seems to not work in a Match
block, and is therefore turning password authentication back on for everyone.
Is there a way to accomplish this? I'm not overly great with this type of stuff, so detailed explanations would be really appreciated.
Thanks!
Best Answer
Recent versions of
openssh
include theAuthenticationMethods
option:Debian backported
openssh-6.2
a while back, so I expect this to be available in Raspbian as well.You can have the main block of your
sshd_config
withChallengeResponseAuthentication
enabled:and then use
AuthenticationMethods
in yourMatch
blocks (useGroup
matching instead ofUser
matching to ease scalabity):Aditionally, you can use
pam_succeed_if(8)
to trigger the two-factor-authentication only if a matching group requires it: