SSHd restriction per user basis

I think what you want is "Match User". You use it to match a username, then indent a series of config settings that apply specifically to that user.

Match User Joe
  PasswordAuthentication no

Match User Jane
  PasswordAuthentication yes

I use this to set up chroot SFTP-only access sometimes for clients.

Set up ssh as follows:

nano /etc/ssh/sshd_config

AllowUsers username1 username2 username3

Restart SSH

Then provide the keys to those who you would like to avoid using passwords.

ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created:

#ssh-keygen -t rsa

The command ssh-keygen -t rsa initiated the creation of the key pair.

I didn't enter a passphrase for my setup (Enter key was pressed instead).

The private key was saved in .ssh/id_rsa. This file is read-only and only for you. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key.

The public key is save in .ssh/id_rsa.pub.

Its content is then copied in file .ssh/authorized_keys of the system you wish to SSH to without being prompted for a password.

#scp id_rsa.pub remote system:~/.ssh/authorized_keys

Finally lock the account (Key authentication will still be possible.)

# passwd -l username1

What I would do is to set /etc/sshd/sshd_config such that:

PermitRootLogin without-password

just for extra security and to avoid having the root password locked (it would only allow root to log in using a key)

I would instead use AllowGroups instead of AllowUser, as for me it would be more convenient to add users to a group rather than to sshd_config but that could depend on your personal preferences.

All the above are great and work and if I may be allowed to tie it up a little. I use a standard sshd_config across a large number of servers and flavours making the configuration a deliberate thought processes and this is what I use.

My use case:

• Root access is restricted to key only from 2 specific IP's
• Automation users (eg ansible) are restricted to key only from specific servers (eg RunDeck, Jenkins, etc)
• Application users may not login at all using ssh
• Admins and users may use key or password

Firstly, I primarily use Allow_Groups, easier to manage across multiple boxes with a pleothora of different users. For users common to all boxes (eg automation or monitoring), allow_Users also works well but I still prefer using groups.

Now down to the actual configs /etc/ssh/sshd_config:

First off, all only specific group (or users) SSH access:

AllowGroups sshusr

This essentially means the users need to be a member of the sshusr group in order to be able to use SSH. To prevent application users gaining ssh access, simply make sure they are not a member of the sshusr group. NOTE: This includes root so you need to add root to the sshusr group!

For root access via key only use:

PermitRootLogin without-password

For restricting groups to use key-only authentication :

Match Group ansible,monitor
  PasswordAuthentication no

As a default, I turn off things like port forwarding and X11 forwarding etc but for specific groups you may want to turn it on and allow password authentication (usually on by default but for secure environments you may want to turn it off to make keys the default)

Match Group sysadmin,dbadmin
  PasswordAuthentication yes
  AllowTcpForwarding yes
  PermitTunnel yes
  X11Forwarding yes

Then you have the special cases like sftp only users:

Match Group sftp
  ForceCommand internal-sftp
  PermitTTY no
  MaxSessions 5

Now for restricting the keys to allow access from specific IP's only. This works for FQDN's as well but I have not used it here. In the ~/.ssh/authorized_keys file prepend the from= restriction to the applicable key(s)

from="10.1.1.1,10.2.2.2,10.3.3.0/24" ssh-rsa AAAAB3NTheRestOfMyKeyxyz

That will allow the key to be used from those specific IP's only.

I trust this helps you and potentially many others.