OpenSSH deny or restrict access to users and groups

By | January 19, 2015

OpenSSH has two directives for allowing and denying ssh user access.

DenyUsers user1 user2 user3

Use to block user login. You can use wild cards as well as [email protected] (user1 is not allowed to login from host) pattern.

DenyGroups group1 group2
A list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards.

Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.

AllowUsers user1 user2
This directive is opposite of DenyUsers directive.

AllowGroups group1 group2
This directive is opposite of DenyGroups directive.

You should always block access to root user/group:
Open /etc/ssh/sshd_config file:

# vi /etc/ssh/sshd_config

Append following names (directives):

DenyUsers root finadmin
DenyGroups root finadmin

Make sure at least one user is allowed to use ‘su -‘ command.

Save the file and restart the sshd.

This is a secure setup and you are restricting the users allowed to access the system via SSH with four above directives.

Please note that if you want to deny or allow access to large number of users consider SSH PAM configuration (ideal for ISPs and Web hosting service providers). PAM allows you to store usernames using text files (you do not have to mess up with ssh configuration file)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.