how to disable SSH login with password for some users?

linux ssh password login

380

Solution 1

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Solution 2

Match in sshd_config works well. You should use Match all to end the match block if you're using openssh 6.5p1 or above. Example:

PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all

Solution 3

Due to some security reason, you may require to block certain user SSH access to Linux box.

Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.

Open the file up while logged on as root:

# vi /etc/ssh/sshd_config

Insert a line to end of the config file:-

DenyUsers username1 username2 username3 username4

Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.

Run below command to restart the same:-

# systemctl restart sshd

The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"

Solution 4

There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.

Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.

View more solutions

380

user1340531

Updated on September 18, 2022

Comments

user1340531 over 1 year
Here's input type="search" in it's natural habitat:
```
<input type="search" value="asd" />
```
http://jsfiddle.net/u9c7p345/

It has an X icon/button on the right side which is visible when there is text entered in the field.

When using the PureCSS framework, the default browser styling is over-written, and the [X] button which removes the text entered is not there anymore.

http://jsfiddle.net/fonfv7sL/

Can you point me to the file or CSS line that removes this specific browser default so I can amend the code?
- nil over 11 years
  
  Maybe it's because of your indentation?
- Sharky about 9 years
  
  It has that X button when you hover or focus it. um what? what system are you using? i dont see any X button
- user1340531 about 9 years
  
  Latest Chrome on win 8.1. Example image: html5tutorial.info/images/input_type_search.png
- Sharky about 9 years
  
  im pretty sure the "natural habitat" has no "X". That x is added by your system and/or browser and/or plugins. I can only guess PureCSS resets all these custom wizardry and thats why you see it in its truly "natural habitat" state, without X.
- Sharky about 9 years
  
  take a look on "css reset rules". when you start making a website, "reset" your css so you have the same basic look across all systems. Then, based on that, you start designing your css so your design look is consistent across all systems.
- Sharky about 9 years
  
  to anyone reading this question and the answer below: this question ended up in a completely different direction, it wasnt clear from start what was the op's wish.
- natenho almost 9 years
  
  !root also doesn't work for me. The second approach did the trick.
- Roman Hocke almost 7 years
  
  I've seen cases where Match User "!root,*" did the job.
84104 almost 13 years

prefer Match user !root for this case
Safado almost 13 years

Awesome, I didn't know about the Match syntax. One suggestion I would make, though, is if this is a public facing server, I wouldn't allow root login through SSH at all. Probably not a huge deal if it's Internal though..
Stepan almost 13 years

I wouldn't allow root login through SSH at all - We use strong root password so this is not real security weakness.
SpacemanSpiff almost 13 years

Strong or not, it can be brute-forced.
ceejayoz almost 13 years

@SpacemanSpiff That's what a) strong passwords and b) denyhosts/fail2ban are for.
rashid almost 12 years

Also note: Put these lines to the end (!) of the file /etc/ssh/sshd_config and reload the SSH config: sudo /etc/init.d/ssh reload
pl1nk over 11 years

Quite important in order to avoid errors such as: Directive XYZ is not allowed within a Match block.
ceejayoz almost 11 years

@deed02392 You can consider a key to be a really, really strong password if you like.
deed02392 almost 11 years

It's so much stronger it's not in the same ball-park, that was my point. Password authentication should be disabled for root too and keys only allowed for logins.
Freedom_Ben over 10 years

From a practical standpoint, really strong passwords (no dict words, length >= 15 chars, mixed chars, etc.) cannot be brute forced over SSH (way too slow, would take a million years to crack). If you have the /etc/shadow file and a beastly rainbow table then you might be able to, but even then probably not. That being said, a really hard password usually gets written down...
user1340531 about 9 years

Well it's already taken care of by the PureCSS framework. Now I'd like to get it back for the systems that support it.
Sharky about 9 years

please clarify your question. do you need this X for all systems OR just for only for the systems that natively support it?
user1340531 about 9 years

Only those who already support it. If I start building one for myself it's bound to not work on some x device and will possibly look ugly instead of not being there at all.
Sharky about 9 years

@user1340531 look on my updated answer. you just need to remove these css rules from that PureCSS file, and it will work.
Sharky about 9 years

@user1340531 use a CSS code beautifier to make the CSS readable to the human eye, then search and find any of these "-decoration" etc stuff on inputs and remove them.
user1340531 about 9 years

I need to use CDN for the framework so I can't edit it
user1340531 about 9 years

Used code from davidbcalhoun.com/2012/… Thanks for all the help
Sharky about 9 years

@user1340531 you do understand the code you posted is nowhere near what you finally asked for? This RESETS these X's and re-creates them just like i adviced you in my answer.
Sharky about 9 years

also that is for webkit only
user1340531 about 9 years

Well I understand it recreates it, but since the selector is ::-webkit-search-cancel-button:after I figured it still only applies to browsers that support webkit-search-cancel-button and wont show up on anything else. Whereas recreating it by making a span and positioning it to overlap the input and adding js to make it work as a clear button could be bad.
Sharky about 9 years

@user1340531 please make sure your questions in future are better defined. your question ended up in a completely different direction.
Peter Krauss over 7 years

I need "only sftp, no ssh", it will block also sftp?
kasperd over 7 years

@ceejayoz No matter how strong a password you choose, it will not give you the security of key based authentication. That's because the key validation actually providers an extra layer of defence against mitm attacks, which you will not get with a stronger password.
Jonathan about 7 years

didn't work for me, ssh would not restart with the above block anywhere in the file
Ali Hasan about 5 years

As per Trevor Hateley's answer, you'll probably need Match all on a new line afterwards, otherwise sshd will attempt to treat the remainder of the file as part of your block, and either refuse to restart with the Directive Foo is not allowed errors, or worse, start silently, but apply subsequent settings to the wrong people.
dortegaoh about 5 years

The question was about disabling password login (but keeping login with key authentication).
Dimitrios almost 5 years

It didn't work for me...
Vladimir Kondratyev over 4 years

"Match all" did the trick. Thank you. Without "Match all" sshd fails to start.
UltimaWeapon almost 4 years

This does not work on Ubuntu 20.04.
UltimaWeapon almost 4 years

It is working now after putting in /etc/ssh/sshd_config instead of /etc/ssh/sshd_config.d.
TheHat almost 3 years

"Match all" made it work for me. Without "Match all" in the end, the ssh and sshd services were failing to restart.
Michael Hampton over 2 years

See formatting help to learn how to add formatting to your posts.