In order to manage access to an SSH server more effectively, there are various strategies you can employ. For example, you may choose to prevent the root user from logging in or configure certain users' SHELL to /sbin/nologin or /bin/false, which will prevent them from accessing the terminal.
Beyond these options, you can also configure the SSH server to grant or restrict access for specific users or groups without impacting their other login methods.
$ getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin avahi:x:113:120:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:114:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:117:123::/var/lib/saned:/usr/sbin/nologin nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin whoopsie:x:119:125::/nonexistent:/bin/false colord:x:120:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin sssd:x:121:127:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin geoclue:x:122:128::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin hplip:x:124:7:HPLIP system user,,,:/run/hplip:/bin/false gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false user:x:1000:1000:user,,,:/home/user:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin sshd:x:127:65534::/run/sshd:/usr/sbin/nologin alice:x:1001:1001:alice,,,:/home/alice:/bin/bash bob:x:1002:1002:bob,,,:/home/bob:/bin/bash
$ getent group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog,user tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24:user floppy:x:25: tape:x:26: sudo:x:27:user,alice audio:x:29:pulse dip:x:30:user www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46:user staff:x:50: games:x:60: users:x:100: nogroup:x:65534: systemd-timesync:x:101: systemd-journal:x:102: systemd-network:x:103: systemd-resolve:x:104: crontab:x:105: messagebus:x:106: input:x:107: kvm:x:108: render:x:109: syslog:x:110: tss:x:111: bluetooth:x:112: ssl-cert:x:113: uuidd:x:114: tcpdump:x:115: ssh:x:116: avahi-autoipd:x:117: rtkit:x:118: netdev:x:119: avahi:x:120: lpadmin:x:121:user scanner:x:122:saned saned:x:123: nm-openvpn:x:124: whoopsie:x:125: colord:x:126: sssd:x:127: geoclue:x:128: pulse:x:129: pulse-access:x:130: gdm:x:131: lxd:x:132:user user:x:1000: sambashare:x:133:user systemd-coredump:x:999: alice:x:1001: bob:x:1002:
$ sudo vi /etc/ssh/sshd_config
AllowUsers alice user
Users not listed will not be allowed to login.
Use space separated value or add multiple entry to configure for multiple users.
Regex and wildcard values are accepted.
DenyUsers charlie
Works in contrast with AllowUsers.
Configuration options similar to AllowUsers.
AllowGroups admin
Configuration options similar to AllowUsers.
DenyGroups finance
Works in contrast with AllowGroups.
Configuration options similar to AllowUsers.
$ sudo systemctl restart ssh
Comment anonymously. Login not required.