Home FAQ Allow Or Deny SSH Access To A Particular User Or Group In Linux
Allow Or Deny SSH Access On Linux

Allow Or Deny SSH Access To A Particular User Or Group In Linux

By sk
2880 Views

A few days ago, we taught you how to limit a user's access to Linux system using Restricted shell. Once we have put the users in restricted mode, s/he can't do anything, except what s/he was allowed to do. It will be helpful when you want to allow a particular user to execute only a specific set of commands. In this guide, we are going to see how to allow or deny SSH access to a particular user or a group in Linux.

Allow Or Deny SSH Access To A Particular User Or Group In Linux

openSSH default configuration file has two directives for both allowing and denying SSH access to a particular user(s) or a group.

Allow SSH Access to a user or group

First, we will see how to allow SSH access for a particular user, for example sk.

Please note that all commands should be run as root user.

Go to your remote server, and edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Add or edit the following line:

AllowUsers sk

Replace "sk" with your username. You can also specify more than one user as shown below.

AllowUsers sk ostechnix

To allow an entire group, say for example root, add/edit the following line:

AllowGroups root

Those who are in the "root" group can be able to ssh to the remote server.

Save and quit the SSH config file. Restart SSH service to take effect the changes.

$ sudo systemctl restart sshd

Now, the users sk, ostechnix or all the users under the group "root" are allowed to ssh into your remote server. The other users (except sk, ostechnix and users of "root" group) can't.

If you try to ssh to the remote server using any one of non-allowed user, you will get the following error message:

Permission denied, please try again.

Now, let us go ahead and see how to deny/disable ssh access to a particular user or group.

Deny SSH Access to a user or group

To disable or deny SSH access to any user or group, you need to add/edit the following directives in your remote server's sshd_config file.

To deny SSH access to specific user called "sk", edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Add/edit the following line in sshd_config file.

DenyUsers sk

Similarly, to deny SSH access to multiple users, specify the usernames with space separated as shown below.

DenyUsers sk ostechnix

To deny SSH access to an entire group, for example root, add:

DenyGroups root

Save and quit the ssh config file. Restart ssh service to take effect the changes.

$ sudo systemctl restart sshd

if you try to ssh to server using denied users, for example sk:

ssh [email protected]

You will get the following message:

[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password:

More importantly you should disable Root user login too. Root ssh access is considered a bad practice in terms of security.

To disable root ssh login, edit sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Find the following line, Uncomment it, and set the value to no.

PermitRootLogin no

Restart SSH service. Congrats! You have just disabled the ssh root login.


Suggested read:


Thanks for stopping by!

Help us to help you:

Have a Good day!!

You May Also Like

6 comments

MyDisqussion January 30, 2017 - 2:22 pm

It would also be good to mention tcpwrappers, which can be used to restrict ssh (and other protocols). This can prevent unauthorized IP addresses from even touching the ssh service on the remote machine.

Reply
sk February 9, 2018 - 11:42 am

Yeah, you’re absolutely right! I already have published a guide about Tcpwrappers. https://ostechnix.com/restrict-access-linux-servers-using-tcp-wrappers/

Reply
sk February 9, 2018 - 11:44 am

Cheers mate! I’m really glad that you find this blog useful.

Reply
Milofi May 8, 2020 - 3:58 am

Hey There
Its an old post, ….but when i disable all of a group and enable one single user in this group, can i access to it or not?
and… what would you recommend for an login/edit method to change server files?

Reply
aviso May 10, 2020 - 10:07 am

I screwd up my ssh access with these instructions for root, now I cannot ssh, and cannot open the file through CWP in root, CWP has a terminal using Java on the browser and at the moment I try to open the file, the shell freezes on some system call deadlock I would imagine, any sugestions??

Reply
sk May 10, 2020 - 11:50 am

If it is physical server, try to boot into rescue or emergency mode and try to undo all the changes you made earlier. If it is a remote or vps system, you might need to ask your hosting provider’s help.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More