SSHD shared key only

I know how to set up sshd_config for shared key only access. Is it possible however, to set up shared key only access for specific users. Example
Users ABCD I want them to only be able to login with shared keys
Users EFGH I want them to be able to use a shared key, or if that key gets lost, corrupted or whatever, EFGH can still use a password, keyboard-interactive. How would I go about doing that?

On Mon, 2010-05-24 at 15:36 +0000, dhonnoll wrote:
> I know how to set up sshd_config for shared key only access. Is it
> possible however, to set up shared key only access for specific users.
> Example
> Users ABCD I want them to only be able to login with shared keys
> Users EFGH I want them to be able to use a shared key, or if that key
> gets lost, corrupted or whatever, EFGH can still use a password,
> keyboard-interactive. How would I go about doing that?
>
>

I don’t think there’s anything for normal users like there is with
PermitRootLogin.

So… one idea, though possibly a bit complicated… enable UsePAM in
sshd_config and control access for interactive logins that way (??).

I haven’t actually tried to do this… just an idea.

You could try a Match block for certain users:

Match User E,F,G,H
PasswordAuthentication yes
Match

Unfortunately UsePAM doesn’t seem to be allowed inside a Match block, so I’m guessing about PasswordAuthentication. Let us know if it works.

On Mon, 2010-05-24 at 22:36 +0000, ken yap wrote:
> You could try a Match block for certain users:
>
>
> Code:
> --------------------
> Match User E,F,G,H
> PasswordAuthentication yes
> Match
> --------------------
>
>
> Unfortunately UsePAM doesn’t seem to be allowed inside a Match block,
> so I’m guessing about PasswordAuthentication. Let us know if it works.
>
>

Wow… didn’t know about Match… that could be the secret here.