Controlling SSH access for specific users and groups is essential for securing a Linux server. By configuring the SSH daemon, you can allow or deny SSH access based on user and group settings. This ensures that only authorized users can connect to your server.
You can manage SSH access by using directives like AllowUsers, DenyUsers, AllowGroups, and DenyGroups in the SSH configuration file. These directives provide a straightforward way to enforce access control. They allow you to specify which users and groups are permitted or denied SSH access.
Additionally, assigning a non-login shell like /sbin/nologin or /bin/false to certain accounts can further restrict SSH access. This method ensures that even if a user is not explicitly denied SSH access, they cannot interact with the system via a shell. Together, these techniques help secure your server by controlling who can log in via SSH.
Steps to allow or deny access for users or groups in SSH:
- Open the terminal.
- Retrieve the list of users currently on the system.
$ getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:117:123::/var/lib/saned:/usr/sbin/nologin nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin whoopsie:x:119:125::/nonexistent:/bin/false colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false user:x:1000:1000:user,,,:/home/user:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin sshd:x:127:65534::/run/sshd:/usr/sbin/nologin alice:x:1001:1001:alice,,,:/home/alice:/bin/bash bob:x:1002:1002:bob,,,:/home/bob:/bin/bash
- Obtain the list of available groups in the system.
$ getent group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog,user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26: sudo:x:27:user,alice audio:x:29:pulse dip:x:30:user www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50: games:x:60: users:x:100: nogroup:x:65534: systemd-timesync:x:101: systemd-journal:x:102: systemd-network:x:103: systemd-resolve:x:104: crontab:x:105: messagebus:x:106: input:x:107: kvm:x:108: render:x:109: syslog:x:110: tss:x:111: bluetooth:x:112: ssl-cert:x:113: uuidd:x:114: tcpdump:x:115: ssh:x:116: avahi-autoipd:x:117: rtkit:x:118: netdev:x:119: avahi:x:120: lpadmin:x:121:user scanner:x:122:saned saned:x:123: nm-openvpn:x:124: whoopsie:x:125: colord:x:126: sssd:x:127: geoclue:x:128: pulse:x:129: pulse-access:x:130: gdm:x:131: lxd:x:132:user user:x:1000: sambashare:x:133:user systemd-coredump:x:999: alice:x:1001: bob:x:1002:
- Open the SSH daemon (SSHd) configuration file using your preferred text editor.
$ sudo vi /etc/ssh/sshd_config
- Add users to allow SSH log in to the system in the AllowUsers directive.
AllowUsers alice user
Users not listed will not be allowed to login.
Use space separated value or add multiple entry to configure for multiple users.
Regex and wildcard values are accepted.
- Add users to deny SSH login to the DenyUsers directive.
DenyUsers charlie
Works in contrast with AllowUsers.
Configuration options similar to AllowUsers.
- Add groups to allow SSH login using AllowGroups directive.
AllowGroups admin
Configuration options similar to AllowUsers.
- Add groups to deny SSH login to the DenyGroups directive.
DenyGroups finance
Works in contrast with AllowGroups.
Configuration options similar to AllowUsers.
- Restart the SSH service to apply the changes.
$ sudo systemctl restart ssh
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.