30
  1. I have configured sshd on an Ubuntu server to use key authentication and it is working fine.
  2. I had to disable password authentication for key authentication to work.
  3. Server is always accessed via remote terminals or putty.

Now all user accounts are able to login with the authentication key and passphrase. But now I want to create only one new user without key authentication. So how should I go about doing this in such a way that does not hamper other users who are using key authentication.

Improve this question
1
  • It is not correct that you must disable password authentication for key authentication to work. However, disabling password authentication is usually a good thing anyway (unless you have a lot of trust in your users to choose excellent passwords -- and possibly even then). In any case, you have received good answers about how to disable password authentication for all but a single user, and that is probably the right strategy to follow.
    – D.W.
    Aug 21, 2012 at 6:51

2 Answers 2

Reset to default
60

You can use Match in sshd_config to select individual users to alter the PasswordAuthentication directive for. Enter these Match rules at the bottom of sshd_config file ( generally /etc/ssh/sshd_config )

Match User root,foo,bar
    PasswordAuthentication no
Match User Rishee
    PasswordAuthentication yes

This would give root, foo and bar key authentication, and Rishee password authentication.

An alternative is to match by negation, like this:

PasswordAuthentication no
Match User *,!root
    PasswordAuthentication yes

In this case, everyone except root gets password authentication.

Note: The *, syntax is necessary, as wildcard and negation syntax is only parsed in comma-separated lists.

You can also match by group:

Match Group usergroup
    PasswordAuthentication no

Reason for entering Match at the bottom of the file:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another >Match line or the end of the file

Improve this answer
13
  • 2
    I didn't even know that was possible, cool :D
    – Lucas Kauffman
    Aug 2, 2012 at 11:19
  • 1
    @Rishee you need to restart sshd for the changes to take effect.
    – Maerlyn
    Aug 2, 2012 at 14:56
  • 1
    There's an error in your answer. You can't use Match User !root You have to use Match User *,!root
    – Edward Ned Harvey
    Oct 4, 2016 at 16:55
  • 1
    Pretty sure I just proposed an edit. The line Match User !root doesn't work, because you need to put the *, in there.
    – Edward Ned Harvey
    Oct 7, 2016 at 23:18
  • 1
    @EdwardNedHarvey I meant an actual edit proposal through the StackExchange functionality.
    – Polynomial
    Oct 8, 2016 at 14:55
3

You can enable password and key-authentication at the same time, they are not exclusive.

Improve this answer
1
  • But they're not selective. (EG. Not multifactuor) It allows multiple single factors. Though redhat fixed that
    – Ori
    Aug 3, 2012 at 3:48

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.