Loading ...OpenSSH deny or restrict access to users and groups
OpenSSH has two directives for allowing and denying ssh user access.
DenyUsers user1 user2 user3
Use to block user login. You can use wild cards as well as user1@somedomain.com (user1 is not allowed to login from somedomain.com host) pattern.
DenyGroups group1 group2
A list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards.
Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.
AllowUsers user1 user2
This directive is opposite of DenyUsers directive.
AllowGroups group1 group2
This directive is opposite of DenyGroups directive.
You should always block access to root user/group:
Open /etc/ssh/sshd_config file:
# vi /etc/ssh/sshd_config
Append following names (directives):
DenyUsers root finadmin
DenyGroups root finadmin
Make sure at least one user is allowed to use 'su -' command.
Save the file and restart the sshd.
This is a secure setup and you are restricting the users allowed to access the system via SSH with four above directives.
Please note that if you want to deny or allow access to large number of users consider SSH PAM configuration (ideal for ISPs and Web hosting service providers). PAM allows you to store usernames using text files (you do not have to mess up with ssh configuration file).
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- OpenSSH Root user account restriction - revisited
- Lighttpd restrict or deny access by IP address
- Open SSH Server connection drops out after few or N minutes of inactivity
- Linux PAM configuration that allows or deny login via the sshd server
- Best Linux / UNIX Posts of 2007: Part ~ IV
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
i disagree with blocking root entirely.
i like to use ssh public+private keys for root access, giving each root user their own key and password, and thus avoiding the hassle of a shared password. shared passwords are a great security risk, and hard to change, as you need to get all root users together when the password is to be changed.
unfortunately, i have not yet figured out how to restrict root to only be able to use ssh from localhost (other than using a seperate process)
eMBee,
Root is not allowed to login ssh. However, user embee can login and run su - to become a superuser. This way root is blocked over network login but normal sys admin can login over ssh account can become a super user on demand.
restrict root to only be able to use ssh from localhost
Try out following entry:
AllowUsers root@localhost
If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
I hope this helps.
How about if let said you want to do rsync? Shall you use username: root? beside root, how can I rsync so many folder with different permission.
using su forces the use of a shared password, which is what i want to avoid.
AllowUsers says in the documentation:
“If specified, login is allowed only for user names that match one of the patterns.”
that means ALL OTHER users will be blocked, which is not desired either. i need something that allows me to say: allow any users except root from anywhere, and root only from localhost.
there may be a way to combine AllowUsers and AllowGroups, but the docs say nothing about how those two would interact.
Planet Malaysia: for rsync you would want to allow root specificly for the host that you are synchronizing with.
Hmm…
Have you evaluated or considered sudo option? I use sudo extensively here. Although it is not 100% perfect but better than sharing root password. It also log down all failed (or command access) messages. Sudo is your best option, IMPO.
Let me know if you are aware of any other tools or methods….
Planet Malaysia, follow emBee\’s suggestion or add user to group grant necessary file level permissions
You need to configure PAM login access control tables. These tables will give you desired effect i.e. allow any users except root from anywhere, and root only from localhost (just like iptables).
There is also a iptables module which attempts to match various characteristics of the packet creator (both INPUT and OUTPUT chain) but it is badly broken and it may not work on SMP system at all.
I will post more info about login access control tables soon. See URL: http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html
i did a few quick tests on the interaction of AllowUsers and AllowGroups and it seems that they can’t really be used together. when i set:
AllowUsers: root@localhost
AllowGroups: users
the result was that noone could login, even adding root to the group users didn’t help.
LinuxTitli: using the users password for root access is not really good either. if some users account is compromized (because someone managed to get at the users password), then root is automaticly compromized as well.
i look forward to try the suggestions in nixcrafts new article soon.
Dear all,
how can i restrict a user to view others folder except his own folder after login?
thanks
steve
/etc/ssh/sshd_config
PermitRootLogon no
Above denies root to login remotely but is able to login locally on the console.
Use sudo to give access to sys admins.