How to disable password authentication for every users except several
-
27-09-2019 - |
Question
I want to share my answer for question in title, which I can't find quickly.
There many topics how to disable password auth at all:
UsePam yes # it will not be used
ChallengeResponseAuthentication no
PasswordAuthentication no
kbdInteractiveAutentication no
but no topics how to enable for paticular user:
Match User myuser
PasswordAuthentication yes
KbdInteractiveAutentication yes
Also useful command to test sshd config is:
sshd -T -C user=myuser,host=127.1,addr=127.1
Please, note that "127.1" will not work on every system, so you may need paste 127.0.0.1 here.
Solution
If it is not about password authentication specifically, you could force usage of pam_access.so
and have your /etc/security/access.conf
look like so:
+ : myuser : <ip/net here or ALL>
- : ALL : ALL
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow