$ sudo sshd -d -T -C user=gqqnbig | grep passwordauthentication debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1f 31 Mar 2020 debug1: user qiqig matched group list certificateLoginOnly at line 2 sshd tells if gqqnbig logs in, passwordauthentication is no. Then I use psftp to log in with password. It succeeds. > psftp qiqig@172.25.9.11 Using username "gqqnbig". gqqnbig@172.25.9.11's password: Remote working directory is /home/gqqnbig I use default /etc/ssh/sshd_config, but I add certificateLoginOnly.conf in sshd_config.d. $ cat /etc/ssh/sshd_config.d/certificateLoginOnly.conf # Example of overriding settings on a per-user basis Match Group certificateLoginOnly PasswordAuthentication no If I move the Match block to sshd_config, I can no longer use password to log in.
I'm unable to replicate this. Could you please attached a debug log from sshd? (Try "/path/to/sshd -ddd")
(In reply to gqqnb2005 from comment #0) [...] > I use default /etc/ssh/sshd_config, but I add > certificateLoginOnly.conf in sshd_config.d. The default sshd_config supplied by the OpenSSH team does not contain any Include directives. Showing the relevant parts of the configs would be useful, in particular any instances of PasswordAuthentication in the main config, any other Include statements and whether or not the included files contain PasswordAuthentication directives.
It's my bad. I have two sshd, one is 8.4 and the other is 8.2.
close bugs that were resolved in OpenSSH 8.5 release cycle