| 1 |
I want to harden my ssh server by restricting most users to Public Key |
| 2 |
authentication only. I can set "ChallengeResponseAuthentication no" in |
| 3 |
the config file, but I can't figure out how to then allow a user or |
| 4 |
group within a Match section to use Keyboard-Interactive authentication. |
| 5 |
"ChallengeResponseAuthentication" is not valid within a Match section. |
| 6 |
When this directive is added globally there seems to be no way to |
| 7 |
enable it again under a Match section. I also tried to set the global |
| 8 |
option "KbdInteractiveAuthentication no", but this doesn't seem to be |
| 9 |
valid outside of a Match section since users can connect without public |
| 10 |
keys (the sshd process does accept this option, but it doesn't seem to |
| 11 |
actually do anything outside of a Match section.) |
| 12 |
|
| 13 |
At this point the only way I've found to do what I want is to add all |
| 14 |
users I want to restrict to a group, create a Match section for this |
| 15 |
group, and use the directive "KbdInteractiveAuthentication no". While |
| 16 |
this works, I'd like to know if there is a way I can disable it as part |
| 17 |
of the global sshd config and enable this authentication only for |
| 18 |
specific users. |
| 19 |
|
| 20 |
Thanks for any ideas. |
| 21 |
|
| 22 |
-- |
| 23 |
Josh |
Archives