SSH provides two primary authentication methods: password-based and public key authentication. While password auth is convenient, key-based authentication offers stronger security. In production environments, it's common to require key auth for certain privileged users while allowing password auth for others.
The most straightforward solution involves modifying the SSH daemon configuration file. Here's how to implement user-specific authentication rules:
# Edit the SSH daemon config
sudo nano /etc/ssh/sshd_config
# Add these lines at the end of the file:
Match User userA
PasswordAuthentication no
AuthenticationMethods publickey
Match User userB
PasswordAuthentication yes
After making changes, always test your configuration:
# Check config syntax
sudo sshd -t
# Reload SSH service
sudo systemctl reload ssh
# Test connection as userA
ssh -v userA@yourserver.com
For more complex scenarios, you can use PAM (Pluggable Authentication Modules):
# Install pam_script
sudo apt-get install libpam-script
# Create PAM rule
echo "auth [success=1 default=ignore] pam_succeed_if.so user = userA" | sudo tee -a /etc/pam.d/sshd
- Permission issues: Ensure ~/.ssh/authorized_keys has 600 permissions
- SSH version: Some older versions don't support Match blocks
- Firewall rules: Verify port 22 is open for the specific IP ranges
For enhanced security, integrate with Fail2Ban to block brute force attempts:
# Install Fail2Ban
sudo apt-get install fail2ban
# Configure jail for SSH
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
SSH offers two primary authentication mechanisms:
- Password authentication (the conventional username/password method)
- Public key authentication (using cryptographic key pairs)
While password authentication is convenient, it's vulnerable to brute-force attacks. Public key authentication provides stronger security through asymmetric cryptography. In production environments, it's common practice to:
- Disable password authentication globally
- Enable key-based authentication
- Create exceptions for specific users when needed
To implement user-specific authentication restrictions, we'll modify the /etc/ssh/sshd_config file with Match blocks:
# Global settings (applies to all users unless overridden)
PasswordAuthentication no
PubkeyAuthentication yes
# User-specific exception
Match User userA
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
For more granular control, consider these additional directives:
Match User userA
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
PermitEmptyPasswords no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
After making changes, always:
- Test the configuration syntax:
sshd -t - Restart the SSH service:
systemctl restart sshd - Verify connectivity from another terminal before closing your current session
If key authentication fails:
- Verify permissions:
chmod 700 ~/.sshandchmod 600 ~/.ssh/authorized_keys - Check SELinux contexts if applicable
- Confirm the public key is properly added to
authorized_keys
For dynamic user management in large environments:
Match User userA
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
AuthorizedKeysCommand /usr/local/bin/get_user_keys
AuthorizedKeysCommandUser nobody