December 1, 2015

Disabling SSH password authentication for a user

We decided that for our servers it would be a good idea to disable SSH password authentication for the root user and only permit PGP keys authentication, as we store the keys to login with the root user in a GnuK token in case of emergency.

The story is pretty short, it requires to simply create a match rule in the /etc/ssh/sshd_config file:

Match User root PasswordAuthentication no
There is always a second (And better option if you have many users using PGP keys as the authentication method), creating a rule for a group:
Match Group SSHNoPwdAuth PasswordAuthentication no