Today, we are going to learn how to disable ssh password login for specific users in Ubuntu 18.04. In our previous guide, we learnt how to allow or deny specific users to login via SSH in Ubuntu 18.04.
Disable SSH Password Login for Specific Users in Ubuntu 18.04
If you need to disable ssh password login for specific users in Ubuntu 18.04 or any other Linux distribution system, you would use Match directive in the sshd_config file. When you disable password authentication for user, the user can only login using SSH public key.
There are different arguments that can be passed to the Match directive. These arguments can be one or more criteria-pattern pairs or the single token, All, which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators.
If all of the criteria on the Match line are satisfied, the keywords on the lines that follows override those set in the global section of the config file,until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied,
only the first instance of the keyword is applied.
Therefore, to disable SSH password login for specific users, edit the sshd configuration file and add the lines below at the end of the configuration file.
vim /etc/ssh/sshd_config
...
Match User amos,mibey
PasswordAuthentication no
This disables SSH password login for the specified users, amos and mibey. Reload ssh configuration. If you try to login as any of the user whose password authentication is disabled, you will get the error, Permission denied (publickey).;
ssh [email protected] Permission denied (publickey).
As stated above, wildcards (*) or negation (!) operators can be used. For example, to disable password authentication for all system users except root user, put the lines below at the end of the configuration.
...
Match User *,!root
PasswordAuthentication no
If you have three users, amos, mibey and root, the above line will only allow root user to login with password while denying the rest of the users.
You can also use the Group argument to disable password authentication for specific group. For example, to disable the members of the group local_users whose members are amos and mibey, add the lines below to the end of configuration file;
...
Match Group local_users
PasswordAuthentication no
Reload SSH
systemctl reload ssh
If you try to login as either of the group members, you will get permission denied.
ssh [email protected] Permission denied (publickey).
ssh [email protected] Permission denied (publickey).
Wildcards or negation operators can be similarly used.
That is all about how to disable SSH password login for specific users in Ubuntu 18.04. To learn more about this, check the reference below;
man sshd_config
You can also check our article on how to Configure SSH Public Key Authentication in Linux.
Thanks for this article. If a user’s password is disabled for ssh, will they still be able to use their password with sudo?
Thanks.
Steve
Thanks for the feedback Steve. Yes, if the user is allowed to execute sudo on the system, then yes.