Configure SSH To Allow Logging In Via Password For Certain Users or Groups
About
For WordPress sites, I prefer that the files are owned by a non-sudo user called wordpress
rather than the web user www-data
.
I can facilitate easy updates through the web console by the administrator by configuring WordPress (wp-config.php) to update over an SSH connection, and I deliberately leave out the password.
Then the administrator can simply enter the SSH password into the administrator console, whenever they wish to run updates or install a plugin.
However, this requires the server to allow this user to SSH into the server through the use of a password.
I generally like to configure my servers so that passwords can not be used to SSH into them, forcing the use of an SSH key file. This allows me to have a somewhat simpler password for the user, which they can use for running sudo commands if I don't want to allow passwordless sudo.
Luckily, there is a way to configure servers so that they generally require an SSH key to SSH into them, but certain users or groups are allowed to SSH in through the use of a password. This will allow me to configure this just for the WordPress user, who I will make sure has a strong random password, and at least doesn't have sudo privileges anyway.
Example Configuration
Configuring a server to require an SSH key to log in, but allow a password for certain users or groups can be achieved like so:
# ....
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# rest of file contents here.
# ....
# Append these lines to the bottom of your SSH config below
# where it mentions "Example of overriding settings on a per-user basis"
# Allow the "wordpress" user to authenticate via password
Match User wordpress
PasswordAuthentication yes
Match all
# Allow "user2" user to authenticate via password as well
Match User user2
PasswordAuthentication yes
Match all
# Allow users within the "myGroupName" user group to authenticate via password
Match Group myGroupName
PasswordAuthentication yes
Match all
# Allow users within the "myGroupName" user group to authenticate via password
Match Group myGroupName
PasswordAuthentication yes
Match all
The key thing is that the Match
is effective until another Match
line is found, or the end of the file is reached.
Match all
after each block (I have tested this), but its a nice way of preventing mistakes, should some other lines be added,
or these blocks not necessarily be put in the correct place.
References
First published: 13th June 2023