Allow Or Deny SSH Access To A Particular User Or Group In Linux

Allow Or Deny SSH Acces

Few days ago, we taught you how to limit a user’s access to Linux system using Restricted shell. Once we have put the users in restricted mode, s/he can’t do anything, except what s/he was allowed to do. It will be helpful, if you want to allow a particular user to execute only a specific set of commands. In this guide, we are going to see how to allow or deny SSH access to a particular user or a group in Linux.

Allow Or Deny SSH Access To A Particular User Or Group In Linux

openSSH configuration file has two directives for both allowing and denying SSH access to a particular user(s) or a group.

Allow SSH Access to a user or group

First, we will see how to allow SSH access for a particular user, for example sk.

Please note that all commands should be run as root user.

Go to your remote server, and edit sshd_config file:

vi /etc/ssh/sshd_config

Add or edit the following line. Replace “sk” with your username.

AllowUsers sk

You can also specify more than one user as shown below.

AllowUsers sk ostechnix

To allow an entire group, say for example root, add/edit the following line:

AllowGroups root

Those who are in the “root” group are can able to ssh to the remote server.

Save and quit the SSH config file. Restart SSH service to take effect the changes.

systemctl restart sshd

Now, the users sk, ostechnix or all the users under the group “root” are allowed to ssh into your remote server. The other users (except sk, ostechnix and users of “root” group) can’t ssh to the remote server.

If you try to ssh in to the remote server using any one of non-allowed user, you will get the following message:

Permission denied, please try again.

Now, let us go ahead and see how to deny/disable ssh access to a particular user or group.

Deny SSH Access to a user or group

To disable or deny SSH access to any user or group, you need to add/edit the following directives in your remote server’s sshd_config file.

To deny SSH access to specific user called “sk”, edit sshd_config file:

vi /etc/ssh/sshd_config

Add/edit the following line in sshd_config file.

DenyUsers sk

Similarly, To deny SSH access to multiple users, specify the usernames with comma separated as shown below.

DenyUsers sk ostechnix

To deny SSH access to an entire group, add:

DenyGroups root

Save and quit the ssh config file. Restart ssh service to take effect the changes.

systemctl restart sshd

if you try to ssh to server using denied users, for example sk:

ssh sk@192.168.1.150

You will get the following message:

sk@192.168.1.150's password: 
Permission denied, please try again.
sk@192.168.1.150's password:

More importantly you should disable Root user login too. Root ssh access is considered a bad practice in terms of security.

To disable root ssh login, edit sshd_config file:

vi /etc/ssh/sshd_config

Find the following line, Uncomment it, and set the value to no.

PermitRootLogin no

Restart SSH service. Congrats! You have just disabled the ssh root login.

Easy-peasy, right? That’s all for now. If you find this guide helpful, share it on your social networks and support OSTechNix.

Happy weekend!

Cheers!!

Thanks for stopping by!

How can I benefit from this blog:

Have a Good day!!

You may also like...

  • MyDisqussion

    It would also be good to mention tcpwrappers, which can be used to restrict ssh (and other protocols). This can prevent unauthorized IP addresses from even touching the ssh service on the remote machine.