Disable SSH Password Login for Specific Users in Ubuntu 18.04

|
Last Updated:
|
|

Today, we are going to learn how to disable ssh password login for specific users in Ubuntu 18.04. In our previous guide, we learnt how to allow or deny specific users to login via SSH in Ubuntu 18.04.

Disable SSH Password Login for Specific Users in Ubuntu 18.04

If you need to disable ssh password login for specific users in Ubuntu 18.04 or any other Linux distribution system, you would use Match directive in the sshd_config file. When you disable password authentication for user, the user can only login using SSH public key.

There are different arguments that can be passed to the Match directive. These arguments can be one or more criteria-pattern pairs or the single token, All, which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators.

If all of the criteria on the Match line are satisfied, the keywords on the lines that follows override those set in the global section of the config file,until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied,
only the first instance of the keyword is applied.

Therefore, to disable SSH password login for specific users, edit the sshd configuration file and add the lines below at the end of the configuration file.

vim /etc/ssh/sshd_config
...
Match   User    amos,mibey
        PasswordAuthentication  no

This disables SSH password login for the specified users, amos and mibey. Reload ssh configuration. If you try to login as any of the user whose password authentication is disabled, you will get the error, Permission denied (publickey).;

ssh [email protected]        
Permission denied (publickey).

As stated above, wildcards (*) or negation (!) operators can be used. For example, to disable password authentication for all system users except root user, put the lines below at the end of the configuration.

...
Match   User    *,!root
        PasswordAuthentication  no

If you have three users, amos, mibey and root, the above line will only allow root user to login with password while denying the rest of the users.

You can also use the Group argument to disable password authentication for specific group. For example, to disable the members of the group local_users whose members are amos and mibey, add the lines below to the end of configuration file;

...
Match   Group   local_users
        PasswordAuthentication  no

Reload SSH

systemctl reload ssh

If you try to login as either of the group members, you will get permission denied.

ssh [email protected]
Permission denied (publickey).
ssh [email protected] 
Permission denied (publickey).

Wildcards or negation operators can be similarly used.

That is all about how to disable SSH password login for specific users in Ubuntu 18.04. To learn more about this, check the reference below;

man sshd_config

You can also check our article on how to Configure SSH Public Key Authentication in Linux.

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

2 thoughts on “Disable SSH Password Login for Specific Users in Ubuntu 18.04”

  1. Thanks for this article. If a user’s password is disabled for ssh, will they still be able to use their password with sudo?

    Thanks.

    Steve

    Reply
    • Thanks for the feedback Steve. Yes, if the user is allowed to execute sudo on the system, then yes.

      Reply

Leave a Comment