How to control SSH access for users and groups

Restricting SSH access to selected users and groups reduces exposure of administrative services on multi-user Linux systems. Centralized access rules prevent unprivileged or forgotten accounts from opening remote sessions on critical servers.

The sshd daemon reads /etc/ssh/sshd_config during startup and evaluates access-control directives such as AllowUsers, DenyUsers, AllowGroups, and DenyGroups before authentication. These directives match local account names and group memberships and determine whether a connection attempt is processed or dropped.

Access-control rules interact with other security mechanisms including non-login shells and disabled passwords, so restrictions in /etc/ssh/sshd_config should be designed with these layers in mind. Service accounts often use shells like /usr/sbin/nologin or /bin/false that already block interactive sessions, while administrator accounts typically retain full shells. Commands below assume a systemd managed ssh service on a recent Ubuntu or similar Linux distribution.

1. Open a terminal with sudo privileges.
2. Retrieve the list of users currently on the system.

   $ getent passwd
   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
   sync:x:4:65534:sync:/bin:/bin/sync
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
   systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
   systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
   systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
   messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
   syslog:x:104:110::/home/syslog:/usr/sbin/nologin
   _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
   tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
   uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
   tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
   avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
   usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
   rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
   dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
   avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
   cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
   speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
   kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
   saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
   nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
   whoopsie:x:119:125::/nonexistent:/bin/false
   colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
   sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
   geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
   pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
   hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
   gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
   gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
   user:x:1000:1000:user,,,:/home/user:/bin/bash
   systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
   sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
   alice:x:1001:1001:alice,,,:/home/alice:/bin/bash
   bob:x:1002:1002:bob,,,:/home/bob:/bin/bash

3. Obtain the list of available groups on the system.

   $ getent group 
   root:x:0:
   daemon:x:1:
   bin:x:2:
   sys:x:3:
   adm:x:4:syslog,user
   tty:x:5:
   disk:x:6:
   lp:x:7:
   mail:x:8:
   news:x:9:
   uucp:x:10:
   man:x:12:
   proxy:x:13:
   kmem:x:15:
   dialout:x:20:
   fax:x:21:
   voice:x:22:
   cdrom:x:24:user
   floppy:x:25:
   tape:x:26:
   sudo:x:27:user,alice
   audio:x:29:pulse
   dip:x:30:user
   www-data:x:33:
   backup:x:34:
   operator:x:37:
   list:x:38:
   irc:x:39:
   src:x:40:
   gnats:x:41:
   shadow:x:42:
   utmp:x:43:
   video:x:44:
   sasl:x:45:
   plugdev:x:46:user
   staff:x:50:
   games:x:60:
   users:x:100:
   nogroup:x:65534:
   systemd-timesync:x:101:
   systemd-journal:x:102:
   systemd-network:x:103:
   systemd-resolve:x:104:
   crontab:x:105:
   messagebus:x:106:
   input:x:107:
   kvm:x:108:
   render:x:109:
   syslog:x:110:
   tss:x:111:
   bluetooth:x:112:
   ssl-cert:x:113:
   uuidd:x:114:
   tcpdump:x:115:
   ssh:x:116:
   avahi-autoipd:x:117:
   rtkit:x:118:
   netdev:x:119:
   avahi:x:120:
   lpadmin:x:121:user
   scanner:x:122:saned
   saned:x:123:
   nm-openvpn:x:124:
   whoopsie:x:125:
   colord:x:126:
   sssd:x:127:
   geoclue:x:128:
   pulse:x:129:
   pulse-access:x:130:
   gdm:x:131:
   lxd:x:132:user
   user:x:1000:
   sambashare:x:133:user
   systemd-coredump:x:999:
   alice:x:1001:
   bob:x:1002:

4. Open the SSH daemon (sshd) configuration file with a text editor.

   $ sudo vi /etc/ssh/sshd_config

5. Add user accounts permitted to log in over SSH using the AllowUsers directive.

   AllowUsers alice user

   Accounts not listed in AllowUsers are rejected when the directive is present.

   Multiple user names can be specified as space separated values or with multiple AllowUsers lines.

   Wildcards and pattern matches are accepted in AllowUsers entries.

6. Add user accounts explicitly denied SSH login using the DenyUsers directive.

   DenyUsers bob

   DenyUsers entries are checked before AllowUsers and override permission for matching accounts.

   Overly broad AllowUsers or DenyUsers patterns can block administrative access and require console or out-of-band recovery.

7. Add groups permitted to log in over SSH using the AllowGroups directive.

   AllowGroups sudo

   Group-based restrictions complement user-based entries and follow the same matching rules as AllowUsers.

8. Add groups explicitly denied SSH login using the DenyGroups directive.

   DenyGroups finance

   DenyGroups is evaluated before AllowGroups and denies login for members of matching groups.

9. Validate the sshd configuration syntax before reloading.

   $ sudo sshd -t

   Absence of output indicates that /etc/ssh/sshd_config passes basic syntax checks.

   Related: How to check and validate SSH server's configuration

10. Restart the ssh service to apply access-control changes.

    $ sudo systemctl restart ssh

    On some Linux distributions the service name is sshd instead of ssh.

    Related: [DRAFT] How to manage the SSH server service with systemctl in Linux

11. Confirm that the ssh service is active after the restart.

    $ sudo systemctl status ssh
    ● ssh.service - OpenBSD Secure Shell server
         Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
         Active: active (running) since Thu 2025-01-09 11:23:45 UTC; 5s ago
    ##### snipped #####

12. Test SSH login with an allowed account and confirm that a denied user cannot authenticate.

    $ ssh alice@server
    Welcome to Ubuntu 22.04.4 LTS
    ##### snipped #####
    $ ssh bob@server
    Permission denied (publickey,password).