This brief guide will walk you though the steps to allow or deny SSH access to a particular user or a group in Linux and Unix operating systems.
We will also learn how to disable SSH root login in Linux. Disabling SSH root login enhances security by mitigating the risk of brute force attacks against the root
account, which, if compromised, grants full control over the system.
Table of Contents
Introduction
A while ago, we discussed how to limit a user's access to Linux system using Restricted shell. Once we have put the users in restricted mode, they can't do anything except what they are allowed to do.
It will be helpful when you want to allow a particular user to execute only a specific set of commands.
In this article, we are going to enable or disable SSH access for an user or group by making a few changes in SSH default configuration file.
Allow or Deny SSH Access to a Particular User or Group in Linux
The openSSH default configuration file has two directives for allowing and denying SSH access to a particular user(s) or a group.
First, let us see how to allow or enable SSH access to an user and group. Please note that all commands given below should be run as root
or sudo
user.
1. Allow SSH Access to a User or Group
To allow SSH access for a particular user, for example sk, edit /etc/ssh/sshd_config
file:
$ sudo vi /etc/ssh/sshd_config
Press "i
" to enter into insert mode and add or modify the following line:
AllowUsers sk
Replace "sk" with your username. Please mind the space indentation between "AllowUsers
" and "sk
". You should use Tab instead of Space-bar. Meaning - add the word "AllowUsers
" and hit the Tab key and then specify the username.
You can also specify more than one user as shown below.
AllowUsers user1 user2
To allow SSH access for an entire group, say for example root
, add/edit the following line:
AllowGroups root
This setting will allow all the members of the "root"
group to ssh to the Linux server.
Press ESC
key to exit insert mode and type :wq
to save and quit the SSH config file. Restart SSH service to take effect the changes.
$ sudo systemctl restart sshd
Now, the user sk and all the members of the "root"
group are allowed to ssh into your Linux server. The other users (except sk and members of "root"
group) are not allowed to access the system via ssh.
To verify it, try to ssh into the Linux server as any one of the non-allowed user:
$ ssh ostechnix@192.168.225.52
You will get the following error message:
ostechnix@192.168.225.52's password: Permission denied, please try again.
2. Deny SSH Access to a User or Group
To disable or deny SSH access to an user or group, you need to add/modify the following directives in your remote server's /etc/ssh/sshd_config
file.
- DenyUsers
- DenyGroups
To deny SSH access to specific user called "sk", edit /etc/ssh/sshd_config
file:
$ sudo vi /etc/ssh/sshd_config
Add/edit the following line:
DenyUsers sk
Make sure the space indention is correct. Don't use Space-bar. Press Tab key and add the username.
Similarly, to deny SSH access to multiple users, specify the usernames with space separated as shown below.
DenyUsers user1 user2
Likewise, to deny SSH access to an entire group, for example root
, add:
DenyGroups root
Save and quit the ssh config file. Restart ssh service to take effect the changes.
$ sudo systemctl restart sshd
Now try to ssh to your Linux machine from blocked user account, for example sk:
$ ssh sk@192.168.225.52
You will get the following message:
sk@192.168.225.52's password: Permission denied, please try again. sk@192.168.225.52's password:
3. Disable SSH Root Login
Root ssh access is considered a bad practice in terms of security. So it is strongly recommended to disable SSH Root user login to secure your system.
To disable root ssh login, edit /etc/ssh/sshd_config
file:
$ sudo vi /etc/ssh/sshd_config
Find the following line, Uncomment it, and set the value to no
.
PermitRootLogin no
Restart SSH service to take effect the changes immediately:
$ sudo systemctl restart sshd
Conclusion
You know now how to grant and restrict SSH access to certain user(s) or a group in Linux. You also learned how to deny or disable SSH root login in Linux. It is one of recommended security practice every Linux admin should implement when setting up a Linux server.
11 comments
It would also be good to mention tcpwrappers, which can be used to restrict ssh (and other protocols). This can prevent unauthorized IP addresses from even touching the ssh service on the remote machine.
Yeah, you’re absolutely right! I already have published a guide about Tcpwrappers. https://ostechnix.com/restrict-access-linux-servers-using-tcp-wrappers/
Cheers mate! I’m really glad that you find this blog useful.
Hey There
Its an old post, ….but when i disable all of a group and enable one single user in this group, can i access to it or not?
and… what would you recommend for an login/edit method to change server files?
I screwd up my ssh access with these instructions for root, now I cannot ssh, and cannot open the file through CWP in root, CWP has a terminal using Java on the browser and at the moment I try to open the file, the shell freezes on some system call deadlock I would imagine, any sugestions??
If it is physical server, try to boot into rescue or emergency mode and try to undo all the changes you made earlier. If it is a remote or vps system, you might need to ask your hosting provider’s help.
Thank you. Finally, I can able to restrict some SSH users.
This post is a very terrible idea. It screwed up my server and I had to delete all my content. The author of this post should add a warning that when you use AllowUser , you should ALWAYS include root as an allowed user or else you would never be able to sign in to ssh as root again.
also the best way to create a user is to use “adduser USERNAME” command and that automatically adds the user to the server and allows ssh access.
As I mentioned in the article, you shouldn’t allow ssh access for root user. It is bad for security. Also, you must make sure that you have an additional sudo user access. This way you can access your system just in case if you’re accidentally locked out yourself. However, I will add a warning note as you suggested. Thanks for bringing it up to my attention.
In general, both tab and spaces don’t have different meaning, (except Makefile, ..) in config files.
But, you said,
> Please mind the space indentation between “AllowUsers” and “sk”. You should use Tab instead of Space-bar. Meaning – add the word “AllowUsers” and hit the Tab key and then specify the username.
>
> Make sure the space indention is correct. Don’t use Space-bar. Press Tab key and add the username.
Is there any reason to use TAB instead of SPACE-bars? (except aesthetics)
TAB and SPACE have differences. Please have a look at this thread. https://stackoverflow.com/questions/7728829/what-is-the-difference-between-using-tab-and-space-when-we-do-source-code-format