> Can I restrict authentication types for specific users?
> [using openssh-server 4.2p1-8 on Debian SID, x86]

Right now, no, not really.

You can do some limited things (eg setting a given user's passwd field
in /etc/shadow to "*", which will prevent password authentication while
still allowing non-password authentications) but there's no general method.

There's been some work[1] recently to extend sshd_config to allow it to
apply some config directives based on certain attributes of the
connection. If you're prepared to try the patch, it allows for
directives in sshd_config such as:

PasswordAuthentication no
Match User user1,user2
PasswordAuthentication yes
Match Group pwallowed
PasswordAuthentication yes

and similar.


Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.