After reading this similar question I'm unclear how to require SSH keys for user, while denying SSH access to root (key or password). I'll use sudo after logging in as a user if I need to be root.
I know how to require SSH keys:
PermitRootLogin without-password
I know how to disable user 'root' from logging in:
PermitRootLogin no
I know how to whitelist a user:
AllowUsers user
I don't know how to put this all together (or if it's even necessary? - SSH key may be good enough). I would normally solve an answer like this through trial and error, but I'm afraid I'll lock myself out of this server...
If you want to disallow password logins then just set
PasswordAuthentication noin thesshd_confon the server.I don't recall exactly, but I think at least no root login is the default.
Attempting to log in as any user on the system, who does not have your public key in their
~/.ssh/authorized_keyswill ask for the password, whether or not a password is set, or a shell is available, if password login has not been disabled.I think what you want is simply:
This will disallow any root login, either with ssh key or password, and will require users to login with a valid key, as included by having the public key in that user's
~/.ssh/authorized_keysfile.