1 |
I want to harden my ssh server by restricting most users to Public Key |
2 |
authentication only. I can set "ChallengeResponseAuthentication no" in |
3 |
the config file, but I can't figure out how to then allow a user or |
4 |
group within a Match section to use Keyboard-Interactive authentication. |
5 |
"ChallengeResponseAuthentication" is not valid within a Match section. |
6 |
When this directive is added globally there seems to be no way to |
7 |
enable it again under a Match section. I also tried to set the global |
8 |
option "KbdInteractiveAuthentication no", but this doesn't seem to be |
9 |
valid outside of a Match section since users can connect without public |
10 |
keys (the sshd process does accept this option, but it doesn't seem to |
11 |
actually do anything outside of a Match section.) |
12 |
|
13 |
At this point the only way I've found to do what I want is to add all |
14 |
users I want to restrict to a group, create a Match section for this |
15 |
group, and use the directive "KbdInteractiveAuthentication no". While |
16 |
this works, I'd like to know if there is a way I can disable it as part |
17 |
of the global sshd config and enable this authentication only for |
18 |
specific users. |
19 |
|
20 |
Thanks for any ideas. |
21 |
|
22 |
-- |
23 |
Josh |