Ssh – Force SSH public key authentication for specific users

public-keySecurityssh

Is it possible to force specific users to login with public key, while allowing other users to login with password? Since public key authentication (with passphrase) is stronger than password-only authentication, we would like to require sudoers to login with public key. However, it is less convenient to force normal users to do so. In sshd_config, I don't see any policy-related configuration.

Best Answer

You have a few options. In this answer I'm going to assume you have a sudoers group defined.

Take a look at the sshd_config man page, and look for the Match directive. This lets you specify configuration blocks that apply only to a subset of your ssh connections. You could do something like this:

Match Group sudoers
PasswordAuthentication no
ChallengeResponseAuthentication no

You could in theory accomplish something similar with a PAM configuration that would simply fail authentication attempts by people in the sudoers group. This would probably involve the pam_succeed_if module...you could add something like this to your auth config for sshd:

auth        requisite     pam_succeed_if.so user notingroup sudoers quiet

This means that only people not in the sudoers group can authentication via PAM. Note that this is untested. You could also use the pam_listfile module to do something similar.

Related Topic