I would like to allow to first remote login via ssh using password for a new users. After that authentication should be restricted to public key. How to deal with that? I mean how to restrict second and next login to ssh-keys, but allow first with password.
SnapOverflow
You didn't specify which operating system you are running so I'll assume it's Linux.
Have a look at the OTPW package. It's available on most distributions and is relatively easy to set up.
Below are two tutorials which explain how to set it up:
you could reset the password after the user logs in with some kind of /etc/profile or bashrc script.
Then you need to avoid, that the user can change his password again. You know the four PAM facilities auth, account, password, session? You would have to change the password facility so that the user can not change his password anymore.
If you do not want to use ssh-keys but rather run a scenario:
fist login: easy login with password 2nd/3rd login with increased security
you manage the complete scenario in the backend with something like privacyIDEA. There a user can have different authentication devices (like "password" or OTP token). And you can define how often such a device (like the password) can be used. So set the password-to-be-used-only-once and you are done. There is a howto for runnnig it with a server farm and ssh.
Kind regards Cornelius