Home Secure Shell (SSH) Allow Or Deny SSH Access To A Particular User Or Group In Linux

Allow Or Deny SSH Access To A Particular User Or Group In Linux

By sk
Published: Last Updated on 108997 Views

This brief guide will walk you though the steps to allow or deny SSH access to a particular user or a group in Linux operating systems.

A while ago, we discussed how to limit a user's access to Linux system using Restricted shell. Once we have put the users in restricted mode, they can't do anything except what they are allowed to do.

It will be helpful when you want to allow a particular user to execute only a specific set of commands.

Here in this article, we are going to enable or disable SSH access for an user or group by making a few changes in SSH default configuration file.

Allow Or Deny SSH Access To A Particular User Or Group In Linux

The openSSH default configuration file has two directives for allowing and denying SSH access to a particular user(s) or a group.

First, let us see how to allow or enable SSH access to an user and group. Please note that all commands given below should be run as root or sudo user.

1. Allow SSH Access to a user or group

To allow SSH access for a particular user, for example sk, edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Press "i" to enter into insert mode and add or modify the following line:

AllowUsers sk
Edit ssh configuration file to allow ssh access to particular user

Edit ssh configuration file to allow ssh access to particular user

Replace "sk" with your username. Please mind the space indentation between "AllowUsers" and "sk". You should use Tab instead of Space-bar. Meaning - add the word "AllowUsers" and hit the Tab key and then specify the username.

You can also specify more than one user as shown below.

AllowUsers user1 user2

To allow an entire group, say for example root, add/edit the following line:

AllowGroups root

This setting will allow all the members of the "root" group to ssh to the Linux server.

Press ESC key to exit insert mode and type :wq to save and quit the SSH config file. Restart SSH service to take effect the changes.

$ sudo systemctl restart sshd

Now, the user sk and all the members of the "root" group are allowed to ssh into your Linux server. The other users (except sk and members of "root" group) are not allowed to access the system via ssh.

To verify it, try to ssh into the Linux server as any one of the non-allowed user:

$ ssh [email protected]

You will get the following error message:

[email protected]'s password: 
Permission denied, please try again.
SSH access permission denied

SSH access permission denied

2. Deny SSH Access to a user or group

To disable or deny SSH access to an user or group, you need to add/modify the following directives in your remote server's sshd_config file.

  1. DenyUsers
  2. DenyGroups

To deny SSH access to specific user called "sk", edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Add/edit the following line in sshd_config file.

DenyUsers sk

Make sure the space indention is correct. Don't use Space-bar. Press Tab key and add the username.

Similarly, to deny SSH access to multiple users, specify the usernames with space separated as shown below.

DenyUsers user1 user2

Likewise, to deny SSH access to an entire group, for example root, add:

DenyGroups root

Save and quit the ssh config file. Restart ssh service to take effect the changes.

$ sudo systemctl restart sshd

Now try to ssh to your Linux machine from blocked user account, for example sk:

$ ssh [email protected]

You will get the following message:

[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password:

3. Disable SSH Root Login

Root ssh access is considered a bad practice in terms of security. So it is strongly recommended to disable SSH Root user login to secure your system.

To disable root ssh login, edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Find the following line, Uncomment it, and set the value to no.

PermitRootLogin no

Restart SSH service to take effect the changes immediately:

$ sudo systemctl restart sshd

Conclusion

You know now how to grant and restrict SSH access to certain user(s) or a group in Linux. You also learned how to deny or disable SSH root login in Linux. It is one of recommended security practice every Linux admin should implement when setting up a Linux server.

Related read:

You May Also Like

7 comments

MyDisqussion January 30, 2017 - 2:22 pm

It would also be good to mention tcpwrappers, which can be used to restrict ssh (and other protocols). This can prevent unauthorized IP addresses from even touching the ssh service on the remote machine.

Reply
sk February 9, 2018 - 11:42 am

Yeah, you’re absolutely right! I already have published a guide about Tcpwrappers. https://ostechnix.com/restrict-access-linux-servers-using-tcp-wrappers/

Reply
sk February 9, 2018 - 11:44 am

Cheers mate! I’m really glad that you find this blog useful.

Reply
Milofi May 8, 2020 - 3:58 am

Hey There
Its an old post, ….but when i disable all of a group and enable one single user in this group, can i access to it or not?
and… what would you recommend for an login/edit method to change server files?

Reply
aviso May 10, 2020 - 10:07 am

I screwd up my ssh access with these instructions for root, now I cannot ssh, and cannot open the file through CWP in root, CWP has a terminal using Java on the browser and at the moment I try to open the file, the shell freezes on some system call deadlock I would imagine, any sugestions??

Reply
sk May 10, 2020 - 11:50 am

If it is physical server, try to boot into rescue or emergency mode and try to undo all the changes you made earlier. If it is a remote or vps system, you might need to ask your hosting provider’s help.

Reply
Nathan July 2, 2021 - 1:41 am

Thank you. Finally, I can able to restrict some SSH users.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More