How to control SSH access for users and groups

Restricting SSH access to selected users and groups reduces exposure of administrative services on multi-user Linux systems. Centralized access rules prevent unprivileged or forgotten accounts from opening remote sessions on critical servers.

The sshd daemon reads /etc/ssh/sshd_config during startup and evaluates access-control directives such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups before authentication. These directives match local account names and group memberships and determine whether a connection attempt is processed or dropped.

Access-control rules interact with other security mechanisms including non-login shells and disabled passwords, so restrictions in /etc/ssh/sshd_config should be designed with these layers in mind. Service accounts often use shells like /usr/sbin/nologin or /bin/false that already block interactive sessions, while administrator accounts typically retain full shells. Commands below assume a systemd managed ssh service on a recent Ubuntu or similar Linux distribution.

Steps to control SSH access for users and groups:

Open a terminal with sudo privileges.

Retrieve the list of users currently on the system.

$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
##### snipped #####
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
backupuser:x:1001:1001::/home/backupuser:/bin/bash
deploy:x:1002:1002::/home/deploy:/bin/bash

Obtain the list of available groups on the system.

$ getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,user
##### snipped #####
sudo:x:27:user,backupuser
##### snipped #####
user:x:1000:
backupuser:x:1001:
deploy:x:1002:

Open the SSH daemon (sshd) configuration file with a text editor.
```
$ sudo vi /etc/ssh/sshd_config
```
Add user accounts permitted to log in over SSH using the AllowUsers directive.
```
AllowUsers user backupuser
```
Accounts not listed in AllowUsers are rejected when the directive is present.

Multiple user names can be specified as space separated values or with multiple AllowUsers lines.

Wildcards and pattern matches are accepted in AllowUsers entries.
Add user accounts explicitly denied SSH login using the DenyUsers directive.
```
DenyUsers deploy
```
DenyUsers entries are checked before AllowUsers and override permission for matching accounts.

Overly broad AllowUsers or DenyUsers patterns can block administrative access and require console or out-of-band recovery.
Add groups permitted to log in over SSH using the AllowGroups directive.
```
AllowGroups sudo
```
Group-based restrictions complement user-based entries and follow the same matching rules as AllowUsers.
Add groups explicitly denied SSH login using the DenyGroups directive.
```
DenyGroups deploy
```
DenyGroups is evaluated before AllowGroups and denies login for members of matching groups.
Validate the sshd configuration syntax before reloading.
```
$ sudo sshd -t
```
Absence of output indicates that /etc/ssh/sshd_config passes basic syntax checks.

Related: How to check and validate the SSH server configuration
Restart the ssh service to apply access-control changes.
```
$ sudo systemctl restart ssh
```
On some Linux distributions the service name is sshd instead of ssh.

Related: How to manage the SSH server service with systemctl in Linux

Confirm that the ssh service is active after the restart.

$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 19:53:53 +08; 3min 13s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
##### snipped #####

Test SSH login with an allowed account and confirm that a denied user cannot authenticate.

$ ssh user@host.example.net 'whoami'
user
$ ssh -o BatchMode=yes deploy@host.example.net 'whoami'
deploy@host.example.net: Permission denied (publickey,password).

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.