On Linux (Debian Squeeze) I would like to disable SSH login using password to some users (selected group or all users except root). But I do not want to disable login using certificate for them.
edit: thanks a lot for detailed answer! For some reason this does not work on my server:
Match User !root
PasswordAuthentication no
...but can be easily replaced by
PasswordAuthentication no
Match User root
PasswordAuthentication yes
Try
Matchinsshd_config:Or by group:
Or, as mentioned in the comment, by negation:
Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)
Matchinsshd_configworks well. You should useMatch allto end the match block if you're using openssh 6.5p1 or above. Example:Due to some security reason, you may require to block certain user SSH access to Linux box.
Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.
Open the file up while logged on as root:
Insert a line to end of the config file:-
Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.
Run below command to restart the same:-
The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"
There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.
Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.
you can simply go to /etc/ssh/sshd_config file and add a line To allow --> AllowUsers user1 To Deny ---> DenyUsers user2
we can allow/deny login for a particular set of hosts using the hosts.allow or hosts.deny files located in /etc folder
The order of config-statements counts ... my solution to the file
/etc/ssh/sshd_config: