Home Secure Shell (SSH) How To Allow Or Deny SSH Access To A Particular User Or Group In Linux

How To Allow Or Deny SSH Access To A Particular User Or Group In Linux

By sk
Published: Updated: 446.2K views

This brief guide will walk you though the steps to allow or deny SSH access to a particular user or a group in Linux and Unix operating systems.

We will also learn how to disable SSH root login in Linux. Disabling SSH root login enhances security by mitigating the risk of brute force attacks against the root account, which, if compromised, grants full control over the system.

Introduction

A while ago, we discussed how to limit a user's access to Linux system using Restricted shell. Once we have put the users in restricted mode, they can't do anything except what they are allowed to do.

It will be helpful when you want to allow a particular user to execute only a specific set of commands.

In this article, we are going to enable or disable SSH access for an user or group by making a few changes in SSH default configuration file.

Allow or Deny SSH Access to a Particular User or Group in Linux

The openSSH default configuration file has two directives for allowing and denying SSH access to a particular user(s) or a group.

First, let us see how to allow or enable SSH access to an user and group. Please note that all commands given below should be run as root or sudo user.

1. Allow SSH Access to a User or Group

To allow SSH access for a particular user, for example sk, edit /etc/ssh/sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Press "i" to enter into insert mode and add or modify the following line:

AllowUsers sk
Edit ssh configuration file to allow ssh access to particular user
Edit ssh configuration file to allow ssh access to particular user

Replace "sk" with your username. Please mind the space indentation between "AllowUsers" and "sk". You should use Tab instead of Space-bar. Meaning - add the word "AllowUsers" and hit the Tab key and then specify the username.

You can also specify more than one user as shown below.

AllowUsers user1 user2

To allow SSH access for an entire group, say for example root, add/edit the following line:

AllowGroups root

This setting will allow all the members of the "root" group to ssh to the Linux server.

Press ESC key to exit insert mode and type :wq to save and quit the SSH config file. Restart SSH service to take effect the changes.

$ sudo systemctl restart sshd

Now, the user sk and all the members of the "root" group are allowed to ssh into your Linux server. The other users (except sk and members of "root" group) are not allowed to access the system via ssh.

To verify it, try to ssh into the Linux server as any one of the non-allowed user:

$ ssh ostechnix@192.168.225.52

You will get the following error message:

ostechnix@192.168.225.52's password: 
Permission denied, please try again.
SSH access permission denied
SSH access permission denied

2. Deny SSH Access to a User or Group

To disable or deny SSH access to an user or group, you need to add/modify the following directives in your remote server's /etc/ssh/sshd_config file.

  1. DenyUsers
  2. DenyGroups

To deny SSH access to specific user called "sk", edit /etc/ssh/sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Add/edit the following line:

DenyUsers sk

Make sure the space indention is correct. Don't use Space-bar. Press Tab key and add the username.

Similarly, to deny SSH access to multiple users, specify the usernames with space separated as shown below.

DenyUsers user1 user2

Likewise, to deny SSH access to an entire group, for example root, add:

DenyGroups root

Save and quit the ssh config file. Restart ssh service to take effect the changes.

$ sudo systemctl restart sshd

Now try to ssh to your Linux machine from blocked user account, for example sk:

$ ssh sk@192.168.225.52

You will get the following message:

sk@192.168.225.52's password: 
Permission denied, please try again.
sk@192.168.225.52's password:

3. Disable SSH Root Login

Root ssh access is considered a bad practice in terms of security. So it is strongly recommended to disable SSH Root user login to secure your system.

To disable root ssh login, edit /etc/ssh/sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Find the following line, Uncomment it, and set the value to no.

PermitRootLogin no

Restart SSH service to take effect the changes immediately:

$ sudo systemctl restart sshd

Conclusion

You know now how to grant and restrict SSH access to certain user(s) or a group in Linux. You also learned how to deny or disable SSH root login in Linux. It is one of recommended security practice every Linux admin should implement when setting up a Linux server.

You May Also Like

11 comments

MyDisqussion January 30, 2017 - 2:22 pm

It would also be good to mention tcpwrappers, which can be used to restrict ssh (and other protocols). This can prevent unauthorized IP addresses from even touching the ssh service on the remote machine.

Reply
sk February 9, 2018 - 11:42 am

Yeah, you’re absolutely right! I already have published a guide about Tcpwrappers. https://ostechnix.com/restrict-access-linux-servers-using-tcp-wrappers/

Reply
sk February 9, 2018 - 11:44 am

Cheers mate! I’m really glad that you find this blog useful.

Reply
Milofi May 8, 2020 - 3:58 am

Hey There
Its an old post, ….but when i disable all of a group and enable one single user in this group, can i access to it or not?
and… what would you recommend for an login/edit method to change server files?

Reply
aviso May 10, 2020 - 10:07 am

I screwd up my ssh access with these instructions for root, now I cannot ssh, and cannot open the file through CWP in root, CWP has a terminal using Java on the browser and at the moment I try to open the file, the shell freezes on some system call deadlock I would imagine, any sugestions??

Reply
sk May 10, 2020 - 11:50 am

If it is physical server, try to boot into rescue or emergency mode and try to undo all the changes you made earlier. If it is a remote or vps system, you might need to ask your hosting provider’s help.

Reply
Nathan July 2, 2021 - 1:41 am

Thank you. Finally, I can able to restrict some SSH users.

Reply
Maikel December 9, 2021 - 2:53 am

This post is a very terrible idea. It screwed up my server and I had to delete all my content. The author of this post should add a warning that when you use AllowUser , you should ALWAYS include root as an allowed user or else you would never be able to sign in to ssh as root again.

also the best way to create a user is to use “adduser USERNAME” command and that automatically adds the user to the server and allows ssh access.

Reply
sk December 9, 2021 - 11:03 am

As I mentioned in the article, you shouldn’t allow ssh access for root user. It is bad for security. Also, you must make sure that you have an additional sudo user access. This way you can access your system just in case if you’re accidentally locked out yourself. However, I will add a warning note as you suggested. Thanks for bringing it up to my attention.

Reply
Kim Jin April 7, 2023 - 12:03 pm

In general, both tab and spaces don’t have different meaning, (except Makefile, ..) in config files.

But, you said,

> Please mind the space indentation between “AllowUsers” and “sk”. You should use Tab instead of Space-bar. Meaning – add the word “AllowUsers” and hit the Tab key and then specify the username.
>
> Make sure the space indention is correct. Don’t use Space-bar. Press Tab key and add the username.

Is there any reason to use TAB instead of SPACE-bars? (except aesthetics)

Reply
sk April 7, 2023 - 1:18 pm Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More