Using SSH keys is a solid security measure for hardening access to a Linux system, significantly reducing vulnerability to unauthorized login attempts. However, there may be scenarios where a specific user or group requires access via password authentication, even when SSH key-based access is enforced.
Instead of globally enabling passwords—which weakens the system's security—Linux provides a way to allow password-based access for individual users or groups without compromising the overall security posture.
Configuring Password Authentication for a Single User
To permit password authentication for a single user, modify the SSH daemon configuration file:
sudo vi /etc/ssh/sshd_config
Add the following directives:
Match User <username>
PasswordAuthentication yes
Match all
Configuring Password Authentication for a Group
To allow password authentication for a group of users, adjust the configuration as follows:
Match Group <groupname>
PasswordAuthentication yes
Match all
How the Match Block Works
-
The Match directive applies settings only to the specified user or group.
-
Once the Match block begins, its configuration remains in effect until:
-
Another Match directive is encountered.
-
The end of the configuration file is reached.
-
Applying Changes
After making the necessary changes, restart the SSH service to apply the configurations:
sudo systemctl restart sshd
Security Considerations
-
Ensure that global password authentication remains disabled to prevent unauthorized access:
PasswordAuthentication no
-
Use strong passwords or enforce multi-factor authentication (MFA) for extra security.
-
Regularly audit SSH access logs to detect suspicious login attempts.
By leveraging these settings, you can maintain a secure SSH environment while selectively granting password access to specific users or groups without weakening overall system security.
