I want to harden my ssh server by restricting most users to Public Key authentication only. I can set "ChallengeResponseAuthentication no" in the config file, but I can't figure out how to then allow a user or group within a Match section to use Keyboard-Interactive authentication. "ChallengeResponseAuthentication" is not valid within a Match section. When this directive is added globally there seems to be no way to enable it again under a Match section. I also tried to set the global option "KbdInteractiveAuthentication no", but this doesn't seem to be valid outside of a Match section since users can connect without public keys (the sshd process does accept this option, but it doesn't seem to actually do anything outside of a Match section.)
At this point the only way I've found to do what I want is to add all users I want to restrict to a group, create a Match section for this group, and use the directive "KbdInteractiveAuthentication no". While this works, I'd like to know if there is a way I can disable it as part of the global sshd config and enable this authentication only for specific users. Thanks for any ideas. -- Josh
signature.asc
Description: OpenPGP digital signature
