Configuring Selective PAM Authentication in SSH: Enabling 2FA for Specific Users While Restricting Password Access


2 views

When hardening SSH security, we often face a dilemma: wanting to disable password authentication globally while needing to maintain it for specific privileged accounts. This becomes particularly important when implementing two-factor authentication (2FA) via PAM for select users.

The key to achieving this selective authentication lies in proper sshd_config configuration combined with Match blocks. Here's the base configuration we'll build upon:

# /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

We'll use Match User blocks to create exceptions for privileged accounts:

# Global settings - secure by default
PasswordAuthentication no
KbdInteractiveAuthentication no

# Special cases
Match User admin1,admin2
    PasswordAuthentication yes
    KbdInteractiveAuthentication yes
    AuthenticationMethods publickey,keyboard-interactive:pam

For our privileged users, we need to configure PAM to require both password and a second factor. Here's an example using Google Authenticator:

# /etc/pam.d/sshd
# Common rules
auth required pam_securetty.so
auth required pam_nologin.so
@include common-auth

# 2FA only for specific users
auth [success=done default=ignore] pam_succeed_if.so quiet user ingroup privileged
auth required pam_google_authenticator.so

After restarting sshd (systemctl restart sshd), test with:

ssh -v admin1@yourserver.com

For regular users without 2FA, they should only be able to authenticate via public key. The privileged users will be prompted for both password and verification code.

For more scalable management, consider using groups instead of individual users:

Match Group privileged
    PasswordAuthentication yes
    KbdInteractiveAuthentication yes
    AuthenticationMethods publickey,keyboard-interactive:pam
  • Always test changes in a non-production environment first
  • Monitor authentication attempts in /var/log/auth.log
  • Consider rate-limiting password attempts with fail2ban
  • Regularly rotate SSH host keys and user certificates

When hardening SSH access, most administrators disable password authentication entirely in favor of public key authentication. However, there are legitimate cases where you might need to:

  • Enable PAM authentication for specific users (e.g., for 2FA)
  • Allow password authentication only for designated accounts
  • Maintain the appearance of completely disabled password auth for security through obscurity

The solution lies in Match blocks in your sshd_config. Here's how to implement selective authentication methods:


# Global settings - most restrictive by default
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey

# Special cases for specific users
Match User admin,backup
    PasswordAuthentication yes
    AuthenticationMethods publickey,keyboard-interactive:pam
    UsePAM yes

Match User emergency
    PasswordAuthentication yes
    AuthenticationMethods password

For users requiring 2FA, you'll need to configure PAM. Here's an example /etc/pam.d/sshd snippet:


# Common auth
auth required pam_deny.so
auth sufficient pam_google_authenticator.so

# Special 2FA users
@include common-auth
auth required pam_google_authenticator.so nullok user=admin,backup

After making changes, test carefully:


# Check config syntax
sshd -t

# Verify authentication flow
ssh -v -o PreferredAuthentications=password user@host
ssh -v -o PreferredAuthentications=keyboard-interactive user@host
  • Always keep audit logs of special access accounts
  • Consider rate-limiting password attempts with fail2ban
  • Regularly review Match User entries