Search Our Database

Restrict SSH Login by User or Group Using sshd_config

Last updated on |
under
Performance & Optimisation, Linux, System
|
by

Introduction

Securing remote access to Linux servers is a critical task for system administrators. The Secure Shell (SSH) protocol is widely used for remote server administration, and by default, it allows any system user to attempt a login. This default behavior can increase the attack surface, especially in environments with numerous user accounts or shared servers. To mitigate potential security risks, it is essential to restrict SSH login access to only trusted users or specific user groups. This can be effectively managed using the SSH daemon configuration file, located at /etc/ssh/sshd_config.

Controlling SSH login access is particularly important for multi-user systems, production servers, or any system that handles sensitive data. By explicitly allowing or denying access based on usernames or groups, administrators can enforce policy compliance and reduce unauthorized access attempts. The configuration options AllowUsers, DenyUsers, AllowGroups, and DenyGroups in the sshd_config file enable fine-grained control over which users or groups can initiate SSH sessions.

These directives are applicable to any Linux distribution using OpenSSH, such as Ubuntu, Debian, CentOS, AlmaLinux, and Rocky Linux. Understanding how and when to use each directive is key to effective SSH access management. For instance, in an organization where multiple departments have different access levels, restricting SSH access by group can simplify access control and audit logging.

This article demonstrates how to restrict SSH login using the /etc/ssh/sshd_config file, providing detailed steps to configure and test the settings. It also addresses common challenges such as configuration precedence, syntax errors, and service restarts. Readers will gain practical knowledge to securely manage SSH access in real-world scenarios.

 

Prerequisites

  • A Linux-based server with OpenSSH installed (version 7.0 or higher)
  • Root or sudo privileges to edit the SSH configuration
  • A basic understanding of Linux user and group management
  • SSH service (sshd) enabled and running

 

Step-by-step Guide

Step 1: Backup the SSH Configuration File

Before making any changes, back up the existing SSH configuration to prevent accidental lockouts.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

 

Step 2: Restrict SSH Access by User

To allow or deny specific users from logging in via SSH, use the AllowUsers or DenyUsers directive in the SSH configuration file.

Allow specific users only:

sudo nano /etc/ssh/sshd_config

Add the following line to allow only adminuser and devuser to log in:

AllowUsers adminuser devuser

Deny specific users:

Alternatively, to block certain users while leaving access open to others:

DenyUsers testuser tempuser

 

Step 3: Restrict SSH Access by Group

To allow or deny SSH login based on group membership, use the AllowGroups or DenyGroups directive.

Allow specific groups:

AllowGroups sshadmins devteam

Deny specific groups:

DenyGroups guests intern
🖊️ Tip: Use either Allow* or Deny* directives exclusively to avoid conflicts in behavior. If both are used, the most restrictive rule applies.

 

Step 4: Verify Syntax and Restart SSH Service

After editing the configuration file, verify that there are no syntax errors:

sudo sshd -t

If no output is returned, the syntax is correct. Now restart the SSH service:

sudo systemctl restart sshd
⚠️ Warning: Misconfiguration may lock out all SSH users, including administrators. Always keep a backup terminal session open or have console access before restarting the SSH service.

 

 

Step 5: Test SSH Access

Attempt to connect via SSH from another terminal using the allowed and denied users to verify that the restrictions are functioning as expected.

Example test command:

ssh adminuser@your-server-ip

 

Conclusion

Restricting SSH access by user or group using the /etc/ssh/sshd_config file enhances the security posture of any Linux-based server. By implementing AllowUsers, DenyUsers, AllowGroups, and DenyGroups, administrators gain precise control over who can remotely access the system. Proper configuration, validation, and testing ensure minimal disruption while tightening access control. For further security, consider combining these restrictions with key-based authentication, firewall rules, and fail2ban.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts