I would like disable password authentication in sshd for particular users, without locking their UNIX password, and without requiring all users to use PubkeyAuthentication. I cannot find a documented way to accomplish this in OpenSSH. Is it currently possible? If not, I think this would be a very useful feature to add. I believe that each user should have some control of which authentication methods are allowed to login to their account, within the limits set by the server's sshd_config. For users with special privileges, this feature (like PermitRootLogin) could increase security without restricting the options for normal users. I'm not sure what the best way to implement this, but perhaps the user's authorized_keys file could contain a line that meant: "If no keys match, then apply these settings. One of those settings could be: disable-password-authentication. Thanks, --Brett
Brett Hamilton wrote:> I would like disable password authentication in sshd for particular users, > without locking their UNIX password, and without requiring all users to > use PubkeyAuthentication. I cannot find a documented way to accomplish > this in OpenSSH. Is it currently possible?Not within OpenSSH itself. I you're using PAM, however, you could arrange for PAM to do it by having the sshd auth stack reject those users (sshd's public-key authentication will still work). For example, if you're using a LinuxPAM, putting this into the first line of /etc/pam.d/sshd ought to do it (all one line, untested): auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/nopasswdusers -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.