how to disable SSH login with password for some users?
Solution 1
Try Match
in sshd_config
:
Match User user1,user2,user3,user4
PasswordAuthentication no
Or by group:
Match Group users
PasswordAuthentication no
Or, as mentioned in the comment, by negation:
Match User !root
PasswordAuthentication no
Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)
Solution 2
Match
in sshd_config
works well. You should use Match all
to end the match block if you're using openssh 6.5p1 or above. Example:
PasswordAuthentication no
Match User root
PasswordAuthentication yes
Match all
Solution 3
Due to some security reason, you may require to block certain user SSH access to Linux box.
Edit the sshd_config file, the location will sometimes be different depending on Linux distribution, but it’s usually in /etc/ssh/.
Open the file up while logged on as root:
# vi /etc/ssh/sshd_config
Insert a line to end of the config file:-
DenyUsers username1 username2 username3 username4
Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.
Run below command to restart the same:-
# systemctl restart sshd
The requirement has been done. Please take the ssh from that users and your will get error "Access Denied"
Solution 4
There are a few ways that you can do this - first, you could concievably run a second sshd daemon on a different port with different config - its a bit of a hack, but with some chroot work it should work just fine.
Also, you could allow password authentication, but lock the passwords for all but the one user. The users with locked passwords will still be able to authenticate with public keys.
Related videos on Youtube
user1340531
Updated on September 18, 2022Comments
-
user1340531 over 1 year
Here's input type="search" in it's natural habitat:
<input type="search" value="asd" />
It has an X icon/button on the right side which is visible when there is text entered in the field.
When using the PureCSS framework, the default browser styling is over-written, and the [X] button which removes the text entered is not there anymore.
Can you point me to the file or CSS line that removes this specific browser default so I can amend the code?
-
nil over 11 yearsMaybe it's because of your indentation?
-
Sharky about 9 years
It has that X button when you hover or focus it.
um what? what system are you using? i dont see any X button -
user1340531 about 9 yearsLatest Chrome on win 8.1. Example image: html5tutorial.info/images/input_type_search.png
-
Sharky about 9 yearsim pretty sure the "natural habitat" has no "X". That x is added by your system and/or browser and/or plugins. I can only guess PureCSS resets all these custom wizardry and thats why you see it in its truly "natural habitat" state, without X.
-
Sharky about 9 yearstake a look on "css reset rules". when you start making a website, "reset" your css so you have the same basic look across all systems. Then, based on that, you start designing your css so your design look is consistent across all systems.
-
Sharky about 9 yearsto anyone reading this question and the answer below: this question ended up in a completely different direction, it wasnt clear from start what was the op's wish.
-
natenho almost 9 years!root also doesn't work for me. The second approach did the trick.
-
Roman Hocke almost 7 yearsI've seen cases where
Match User "!root,*"
did the job.
-
-
84104 almost 13 yearsprefer
Match user !root
for this case -
Safado almost 13 yearsAwesome, I didn't know about the Match syntax. One suggestion I would make, though, is if this is a public facing server, I wouldn't allow root login through SSH at all. Probably not a huge deal if it's Internal though..
-
Stepan almost 13 yearsI wouldn't allow root login through SSH at all - We use strong root password so this is not real security weakness.
-
SpacemanSpiff almost 13 yearsStrong or not, it can be brute-forced.
-
ceejayoz almost 13 years@SpacemanSpiff That's what a) strong passwords and b) denyhosts/fail2ban are for.
-
rashid almost 12 yearsAlso note: Put these lines to the end (!) of the file
/etc/ssh/sshd_config
and reload the SSH config:sudo /etc/init.d/ssh reload
-
pl1nk over 11 yearsQuite important in order to avoid errors such as:
Directive XYZ is not allowed within a Match block
. -
ceejayoz almost 11 years@deed02392 You can consider a key to be a really, really strong password if you like.
-
deed02392 almost 11 yearsIt's so much stronger it's not in the same ball-park, that was my point. Password authentication should be disabled for root too and keys only allowed for logins.
-
Freedom_Ben over 10 yearsFrom a practical standpoint, really strong passwords (no dict words, length >= 15 chars, mixed chars, etc.) cannot be brute forced over SSH (way too slow, would take a million years to crack). If you have the /etc/shadow file and a beastly rainbow table then you might be able to, but even then probably not. That being said, a really hard password usually gets written down...
-
user1340531 about 9 yearsWell it's already taken care of by the PureCSS framework. Now I'd like to get it back for the systems that support it.
-
Sharky about 9 yearsplease clarify your question. do you need this X for all systems OR just for only for the systems that natively support it?
-
user1340531 about 9 yearsOnly those who already support it. If I start building one for myself it's bound to not work on some x device and will possibly look ugly instead of not being there at all.
-
Sharky about 9 years@user1340531 look on my updated answer. you just need to remove these css rules from that PureCSS file, and it will work.
-
Sharky about 9 years@user1340531 use a CSS code beautifier to make the CSS readable to the human eye, then search and find any of these "-decoration" etc stuff on inputs and remove them.
-
user1340531 about 9 yearsI need to use CDN for the framework so I can't edit it
-
user1340531 about 9 yearsUsed code from davidbcalhoun.com/2012/… Thanks for all the help
-
Sharky about 9 years@user1340531 you do understand the code you posted is nowhere near what you finally asked for? This RESETS these X's and re-creates them just like i adviced you in my answer.
-
Sharky about 9 yearsalso that is for webkit only
-
user1340531 about 9 yearsWell I understand it recreates it, but since the selector is ::-webkit-search-cancel-button:after I figured it still only applies to browsers that support webkit-search-cancel-button and wont show up on anything else. Whereas recreating it by making a span and positioning it to overlap the input and adding js to make it work as a clear button could be bad.
-
Sharky about 9 years@user1340531 please make sure your questions in future are better defined. your question ended up in a completely different direction.
-
Peter Krauss over 7 yearsI need "only sftp, no ssh", it will block also sftp?
-
kasperd over 7 years@ceejayoz No matter how strong a password you choose, it will not give you the security of key based authentication. That's because the key validation actually providers an extra layer of defence against mitm attacks, which you will not get with a stronger password.
-
Jonathan about 7 yearsdidn't work for me, ssh would not restart with the above block anywhere in the file
-
Ali Hasan about 5 yearsAs per Trevor Hateley's answer, you'll probably need
Match all
on a new line afterwards, otherwise sshd will attempt to treat the remainder of the file as part of your block, and either refuse to restart with the Directive Foo is not allowed errors, or worse, start silently, but apply subsequent settings to the wrong people. -
dortegaoh about 5 yearsThe question was about disabling password login (but keeping login with key authentication).
-
Dimitrios almost 5 yearsIt didn't work for me...
-
Vladimir Kondratyev over 4 years"Match all" did the trick. Thank you. Without "Match all" sshd fails to start.
-
UltimaWeapon almost 4 yearsThis does not work on Ubuntu 20.04.
-
UltimaWeapon almost 4 yearsIt is working now after putting in
/etc/ssh/sshd_config
instead of/etc/ssh/sshd_config.d
. -
TheHat almost 3 years"Match all" made it work for me. Without "Match all" in the end, the ssh and sshd services were failing to restart.
-
Michael Hampton over 2 yearsSee formatting help to learn how to add formatting to your posts.