How to allow or deny specific user or group to SSH

You can control access to your SSH server by configuring firewall rules to only allow login from specific IP address or configure to whether or not allow root user to login. You can also configure the user's shell to /sbin/nologin or /bin/false so that the user will not be able to log in at all.

There are however options in SSH server configuration to set the exact users and groups that are allowed and not allowed to log in to the SSH server without affecting their other form of logins.

1. Launch terminal.
2. Get list of users on the system.

   ~$ getent passwd
   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
   sync:x:4:65534:sync:/bin:/bin/sync
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
   systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
   systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
   systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
   messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
   syslog:x:104:110::/home/syslog:/usr/sbin/nologin
   _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
   tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
   uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
   tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
   avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
   usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
   rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin
   dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
   avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
   cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
   speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
   kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
   saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
   nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
   whoopsie:x:119:125::/nonexistent:/bin/false
   colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
   sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
   geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin
   pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
   hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false
   gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
   gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
   user:x:1000:1000:user,,,:/home/user:/bin/bash
   systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
   sshd:x:127:65534::/run/sshd:/usr/sbin/nologin
   alice:x:1001:1001:alice,,,:/home/alice:/bin/bash
   bob:x:1002:1002:bob,,,:/home/bob:/bin/bash

3. Get list of groups in the system.

   $ getent group 
   root:x:0:
   daemon:x:1:
   bin:x:2:
   sys:x:3:
   adm:x:4:syslog,user
   tty:x:5:
   disk:x:6:
   lp:x:7:
   mail:x:8:
   news:x:9:
   uucp:x:10:
   man:x:12:
   proxy:x:13:
   kmem:x:15:
   dialout:x:20:
   fax:x:21:
   voice:x:22:
   cdrom:x:24:user
   floppy:x:25:
   tape:x:26:
   sudo:x:27:user,alice
   audio:x:29:pulse
   dip:x:30:user
   www-data:x:33:
   backup:x:34:
   operator:x:37:
   list:x:38:
   irc:x:39:
   src:x:40:
   gnats:x:41:
   shadow:x:42:
   utmp:x:43:
   video:x:44:
   sasl:x:45:
   plugdev:x:46:user
   staff:x:50:
   games:x:60:
   users:x:100:
   nogroup:x:65534:
   systemd-timesync:x:101:
   systemd-journal:x:102:
   systemd-network:x:103:
   systemd-resolve:x:104:
   crontab:x:105:
   messagebus:x:106:
   input:x:107:
   kvm:x:108:
   render:x:109:
   syslog:x:110:
   tss:x:111:
   bluetooth:x:112:
   ssl-cert:x:113:
   uuidd:x:114:
   tcpdump:x:115:
   ssh:x:116:
   avahi-autoipd:x:117:
   rtkit:x:118:
   netdev:x:119:
   avahi:x:120:
   lpadmin:x:121:user
   scanner:x:122:saned
   saned:x:123:
   nm-openvpn:x:124:
   whoopsie:x:125:
   colord:x:126:
   sssd:x:127:
   geoclue:x:128:
   pulse:x:129:
   pulse-access:x:130:
   gdm:x:131:
   lxd:x:132:user
   user:x:1000:
   sambashare:x:133:user
   systemd-coredump:x:999:
   alice:x:1001:
   bob:x:1002:

4. Open SSHd configuration using your favorite text editor.

   $ sudo vi /etc/ssh/sshd_config

5. Add users to allow to log in to the system via SSH using AllowUsers directive.

   AllowUsers alice user

   Users not listed will not be allowed to login.

   Use space separated value or add multiple entry to configure for multiple users.

   Regex and wildcard values are accepted.

6. Add users to deny SSH login using DenyUsers directive.

   DenyUsers charlie

   Works in contrast with AllowUsers.

   Configuration options similar to AllowUsers.

7. Add groups to allow SSH login using AllowGroups directive.

   AllowGroups admin

   Configuration options similar to AllowUsers.

8. Add groups to deny SSH login using DenyGroups directive.

   DenyGroups finance

   Works in contrast with AllowGroups.

   Configuration options similar to AllowUsers.

9. Restart SSH service for changes to take effect.

   $ sudo systemctl restart ssh

   Related: How to start, restart and stop SSH service