Open SSH Logo

The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins

  1. Backup all data and PAM configuration files before any modification 🙂
  2. Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
  3. Read this Linux-PAM configuration file syntax guide
  4. Now continue reading below for configration…

Use of module

This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

How do I configure module to deny access?

You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.

Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed

Save and close the file

Now add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.deny

Append username per line:

Restart sshd service:
# /etc/init.d/sshd restart

Understanding the config directives:

  • auth required : Name of module required while authenticating users.
  • item=user : Check the username
  • sense=deny : Deny user if existing in specified file
  • file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
  • onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.

How do I configure module to allow access?

You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

Save and close the file.

Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allow

Append username per line:

Restart sshd service (optional):
# /etc/init.d/sshd restart

Now if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).

Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.log


Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh
Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xx

Understanding the config directives:

  • auth required : Name of module required while authenticating users.
  • item=user : Check or specify the username
  • sense=allow : Allow user if existing in specified file
  • file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
  • onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.

Further reading:

  1. Linux PAM guide for the system administrators’
  2. Sun Solaris PAM site has excellent information for both sys admins and developers
  3. Download the three Linux-PAM Guides, for system administrators, module developers, and application developers.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 19 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
19 comments… add one
  • nick Jun 5, 2007 @ 16:34

    This works great on local users it seems, but its not having any effect on ldap users, or groups, what would you suggest as a way to control their access?

  • 🐧 nixCraft Jun 5, 2007 @ 18:04

    It should work, you need to play with pam modules. Pam is designed for this kind of work only.

  • Gerald Aug 28, 2009 @ 10:32

    If you want block all ssh access (via login/password) AND vi authorized_keys, you shoud use ‘account required item=user sense=allow file=/etc/ssh/sshd.allow onerr=succeed’

    because ‘auth xxx’ line seems not checked if sshd use public keys authentification.

    Bst Regard

  • Bhagesh Sep 2, 2009 @ 11:52

    It is working fine for ssh and scp.
    Now I wants to block only the ssh login session. and I required the scp file transfer
    anybody have an Idea

  • Chuck Hale Dec 22, 2009 @ 11:34

    Article solved my problem!

  • Kevin Dec 30, 2009 @ 23:21

    In my experience, the line:
    auth required item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

    must be prepended (i.e., placed as the first line) in the file, not appended as this article states.

  • vimbyseno Mar 16, 2010 @ 14:37

    my config:
    auth required /lib/security/ item=user sense=allow file=/etc/sshd/user-sshd onerr=fail

    user in user-sshd:

    now root can’t remote the vps 🙁
    if i login as root using putty, the console window (putty) closed immedietly when root loged to vps 🙁
    how to solve my problem??? plis help me

  • Rajesh Mar 29, 2010 @ 18:58

    boot from a rescue cd and edit the files.

  • Gerrard Geldenhuis May 13, 2010 @ 12:07

    As stated above it is key to prepend the line to allow it to be executed by pam. There is also no need at all to restart sshd.

  • suzuki Oct 2, 2010 @ 7:20


    it doesn’t work for my system. why?

  • mark Dec 14, 2011 @ 12:12

    It’s not working on openldap authentication with white list on /etc/ssh/ssh.allow.

    Dec 14 18:47:11 PDCSERVER slapd[21346]: conn=64795871 op=1 SRCH base=”ou=Users,dc=kama,dc=in” scope=1 deref=0 filter=”(&(objectClass=shadowAccount)(uid=rana.taba))”

    Dec 14 18:47:11 showa9 sshd[22655]: error: PAM: Authentication failure for rana.taba from

  • dave Nov 22, 2012 @ 14:07

    I have a question regarding difference between using onerr=fail and onerr=succeed. Does it mean that if I have onerr=succeed and in case something unexpected happens with PAM module, it will allow user login to continue? If this is true then this is big security risk, but on the other hand big risk is also having onerr=fail which will lock the system completely in case something unexpected happens.

  • Josh May 29, 2013 @ 12:53

    Please be aware that this only works if PAM is processed. If you’re using SSH keys, PAM _auth_ will be skipped entirely, thus allowing anyone with a key in to the system. You would need to limit it in the account or session areas instead, or sshd itself.

  • Jade Aug 30, 2014 @ 18:45

    Thank you for sharing your info. I truly appreciate your efforts and I am waiting for your further write ups thanks once again.

  • Jens Rantil Aug 31, 2014 @ 15:47

    Typo: coreect => correct

  • Chris Jan 21, 2015 @ 20:08

    Issue here is /etc/security/limits.conf and the ‘maxlogins’ parameter. It works fine for unprivileged users, but I also want it to apply to root logins, whether they are from the console or SSH. My limits.conf has:

    root – maxlogins 2

    but it does not work.

    # man limits.conf

    maximum number of logins for this user except for this with uid=0


    # man pam_limits

    Users of uid=0 are affected by this [sic] limits, too.

    Josh, I was hoping your pointer re: SSH keys would do the trick — I moved /root/.ssh/authorized_keys to authorized_keys.bak, and password prompts came back … but root can still login via SSH infinitely.


  • Ronda Margaret Apr 12, 2016 @ 17:17

    Nice post. I learn something new and challenging on websites I stumbleupon on a daily basis. It’s always interesting to read articles from other authors and use a little something from their web sites.

  • vinay Jan 17, 2017 @ 5:49

    Hi All ,

    I wanted to disable UsePAM no in ssh configuration file at user level so could you please help to achieve the same .

  • Angel Genchev Apr 27, 2017 @ 15:08

    I got here trying to do the opposite – to authenticate user forcing him to login to remote ssh server.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum