SSH supports two primary authentication methods: password-based and public key authentication. The default configuration typically allows both methods for all users, which may pose security risks for privileged accounts like root.


We'll modify the /etc/ssh/sshd_config file to implement selective authentication restrictions. The key directives we'll use are:


AuthenticationMethods - Specifies allowed authentication methods
Match - Applies rules to specific users or groups



Here's how to configure SSH to enforce key-based authentication for root while allowing both methods for other users:

# Open the SSH server configuration file
sudo nano /etc/ssh/sshd_config

Add these configurations at the end of the file:
# Default authentication methods for all users (key OR password)
AuthenticationMethods publickey,password

# Force key-only authentication for root
Match User root
    AuthenticationMethods publickey
    PasswordAuthentication no

After saving the changes, restart the SSH service:
sudo systemctl restart sshd

Test the configuration with these commands:
# Test root login with password (should fail)
ssh root@yourserver

# Test root login with key (should succeed)
ssh -i /path/to/private_key root@yourserver

# Test regular user login with password (should succeed)
ssh regularuser@yourserver

For more granular control, consider these additional settings:
# Restrict by group instead of individual users
Match Group restricted
    AuthenticationMethods publickey

# Combine with other restrictions like source IP
Match Address 192.168.1.*
    AuthenticationMethods publickey,password


Ensure root's authorized_keys file has proper permissions (600)
Consider using stronger key types like ed25519
Regularly review and rotate SSH keys

If you encounter problems:

Check system logs: journalctl -u ssh
Test with verbose output: ssh -v user@host
Verify file permissions for key files and directories



When hardening SSH server security, administrators often need granular control over authentication methods. The requirement is straightforward:

Force specific users (like root) to use SSH keys exclusively
Allow other users flexibility with either key-based or password authentication

The solution involves two main configuration files:
/etc/ssh/sshd_config (main SSH daemon config)
~/.ssh/authorized_keys (per-user key configuration)

First, edit the global SSH configuration:
# Open the config file with elevated privileges
sudo nano /etc/ssh/sshd_config

Add these directives at the bottom:
# Global settings for all users
PasswordAuthentication yes
PubkeyAuthentication yes

# User-specific restrictions
Match User root
    PasswordAuthentication no
    AuthenticationMethods publickey

For multiple restricted users:
Match User admin1,admin2,backup
    PasswordAuthentication no
    AuthenticationMethods publickey

For group-based restrictions:
Match Group security-team
    PasswordAuthentication no
    AuthenticationMethods publickey

After making changes, always:
# Check config syntax
sudo sshd -t

# Restart SSH service
sudo systemctl restart sshd

# Test connection as restricted user
ssh -o PreferredAuthentications=password root@yourserver
# Should fail with "Permission denied (publickey)"


Always maintain at least one backup administrative account
Consider implementing two-factor authentication for sensitive accounts
Regularly review authorized_keys files for unexpected entries

If configurations don't apply:

Check for conflicting Match blocks
Verify SSH daemon logs: journalctl -u sshd
Ensure proper file permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys