Is it possible to force specific users to login with public key, while allowing other users to login with password? Since public key authentication (with passphrase) is stronger than password-only authentication, we would like to require sudoers to login with public key. However, it is less convenient to force normal users to do so. In sshd_config
, I don't see any policy-related configuration.
Ssh – Force SSH public key authentication for specific users
public-keySecurityssh
Best Answer
You have a few options. In this answer I'm going to assume you have a
sudoers
group defined.Take a look at the
sshd_config
man page, and look for theMatch
directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the
sudoers
group. This would probably involve the pam_succeed_if module...you could add something like this to yourauth
config for sshd:This means that only people not in the
sudoers
group can authentication via PAM. Note that this is untested. You could also use the pam_listfile module to do something similar.