Controlling SSH access for specific users and groups is essential for securing a Linux server. By configuring the SSH daemon, you can allow or deny SSH access based on user and group settings. This ensures that only authorized users can connect to your server.

You can manage SSH access by using directives like AllowUsers, DenyUsers, AllowGroups, and DenyGroups in the SSH configuration file. These directives provide a straightforward way to enforce access control. They allow you to specify which users and groups are permitted or denied SSH access.

Additionally, assigning a non-login shell like /sbin/nologin or /bin/false to certain accounts can further restrict SSH access. This method ensures that even if a user is not explicitly denied SSH access, they cannot interact with the system via a shell. Together, these techniques help secure your server by controlling who can log in via SSH.

Steps to allow or deny access for users or groups in SSH:

  1. Open the terminal.
  2. Retrieve the list of users currently on the system.
    $ getent passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
    syslog:x:104:110::/home/syslog:/usr/sbin/nologin
    _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
    tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
    uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
    tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
    avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
    usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
    rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
    dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
    avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
    cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
    speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
    kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
    saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
    nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
    whoopsie:x:119:125::/nonexistent:/bin/false
    colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
    sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
    geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
    pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
    hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
    gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
    gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
    user:x:1000:1000:user,,,:/home/user:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
    alice:x:1001:1001:alice,,,:/home/alice:/bin/bash
    bob:x:1002:1002:bob,,,:/home/bob:/bin/bash
  3. Obtain the list of available groups in the system.
    $ getent group 
    root:x:0:
    daemon:x:1:
    bin:x:2:
    sys:x:3:
    adm:x:4:syslog,user
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mail:x:8:
    news:x:9:
    uucp:x:10:
    man:x:12:
    proxy:x:13:
    kmem:x:15:
    dialout:x:20:
    fax:x:21:
    voice:x:22:
    cdrom:x:24:user
    floppy:x:25:
    tape:x:26:
    sudo:x:27:user,alice
    audio:x:29:pulse
    dip:x:30:user
    www-data:x:33:
    backup:x:34:
    operator:x:37:
    list:x:38:
    irc:x:39:
    src:x:40:
    gnats:x:41:
    shadow:x:42:
    utmp:x:43:
    video:x:44:
    sasl:x:45:
    plugdev:x:46:user
    staff:x:50:
    games:x:60:
    users:x:100:
    nogroup:x:65534:
    systemd-timesync:x:101:
    systemd-journal:x:102:
    systemd-network:x:103:
    systemd-resolve:x:104:
    crontab:x:105:
    messagebus:x:106:
    input:x:107:
    kvm:x:108:
    render:x:109:
    syslog:x:110:
    tss:x:111:
    bluetooth:x:112:
    ssl-cert:x:113:
    uuidd:x:114:
    tcpdump:x:115:
    ssh:x:116:
    avahi-autoipd:x:117:
    rtkit:x:118:
    netdev:x:119:
    avahi:x:120:
    lpadmin:x:121:user
    scanner:x:122:saned
    saned:x:123:
    nm-openvpn:x:124:
    whoopsie:x:125:
    colord:x:126:
    sssd:x:127:
    geoclue:x:128:
    pulse:x:129:
    pulse-access:x:130:
    gdm:x:131:
    lxd:x:132:user
    user:x:1000:
    sambashare:x:133:user
    systemd-coredump:x:999:
    alice:x:1001:
    bob:x:1002:
  4. Open the SSH daemon (SSHd) configuration file using your preferred text editor.
    $ sudo vi /etc/ssh/sshd_config
  5. Add users to allow SSH log in to the system in the AllowUsers directive.
    AllowUsers alice user

    Users not listed will not be allowed to login.

    Use space separated value or add multiple entry to configure for multiple users.

    Regex and wildcard values are accepted.

  6. Add users to deny SSH login to the DenyUsers directive.
    DenyUsers charlie

    Works in contrast with AllowUsers.

    Configuration options similar to AllowUsers.

  7. Add groups to allow SSH login using AllowGroups directive.
    AllowGroups admin

    Configuration options similar to AllowUsers.

  8. Add groups to deny SSH login to the DenyGroups directive.
    DenyGroups finance

    Works in contrast with AllowGroups.

    Configuration options similar to AllowUsers.

  9. Restart the SSH service to apply the changes.
    $ sudo systemctl restart ssh
Discuss the article:

Comment anonymously. Login not required.