OpenSSH Deny or Restrict Access To Users and Groups

SSH restricting which users can log in server

SSH restricting which users can log in server

OpenSSH has two directives for allowing and denying ssh user access. You can use the following config for restricting which users can log in to your Linux or Unix or BSD bases server.

Restricting which users can log in

The syntax is:
DenyUsers user1 user2 user3
Use DenyUsers to block user login. You can use wild cards as well as (user1 is not allowed to login from host) pattern.

DenyGroups group1 group2
A list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards. Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.

Allowing selected users or group explicitly to log in

The syntax is:
AllowUsers user1 user2
This directive is opposite of DenyUsers directive i.e. user1 and user2 are only allowed to log in into the server.

AllowGroups group1 group2
This directive is opposite of DenyGroups directive i.e. members of group1 and group2 users are only allowed to log in into the server.


To help secure your OpenSSH based server you can be explicitly allowing users sai and vivek to log in via SSH. Edit the file /etc/ssh/sshd_config as the super user:

sudo vi /etc/ssh/sshd_config

Add/edit/append the following line:

AllowUsers sai vivek

Save and close the file. Next, restart your SSH daemon service:

## Ubuntu/debian user ##
sudo service ssh restart
# only for systemd based Ubuntu/Debian 8.x+ users #
sudo systemctl restart ssh
#### RHEL/CentOS/Fedora Linux user type ####
sudo service sshd restart
# only for systemd based RHEL/CentOS v7+ users #
sudo systemctl restart sshd

Restricting root user

For security reason you should always block access to root user and group on a Linux or Unix-like systems. First, make sure at least one user is allowed to use ‘su -‘ or ‘sudo’ command on the server. Open the /etc/ssh/sshd_config file, enter:
# vi /etc/ssh/sshd_config
$ sudo vi /etc/ssh/sshd_config
Append following names (directives):

DenyUsers root
DenyGroups root

Also make sure following set in sshd_config:

PermitRootLogin no

Save the file and restart the sshd. This is a secure setup and you are restricting the users allowed to access the system via SSH with four above directives.

See also

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 28 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
28 comments… add one
  • eMBee Aug 1, 2006 @ 23:09

    i disagree with blocking root entirely.

    i like to use ssh public+private keys for root access, giving each root user their own key and password, and thus avoiding the hassle of a shared password. shared passwords are a great security risk, and hard to change, as you need to get all root users together when the password is to be changed.

    unfortunately, i have not yet figured out how to restrict root to only be able to use ssh from localhost (other than using a seperate process)

  • 🐧 nixCraft Aug 1, 2006 @ 23:50


    Root is not allowed to login ssh. However, user embee can login and run su – to become a superuser. This way root is blocked over network login but normal sys admin can login over ssh account can become a super user on demand.

    restrict root to only be able to use ssh from localhost

    Try out following entry:
    AllowUsers root@localhost

    If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

    I hope this helps.

  • Planet Malaysia Aug 2, 2006 @ 6:48

    How about if let said you want to do rsync? Shall you use username: root? beside root, how can I rsync so many folder with different permission.

  • eMBee Aug 2, 2006 @ 13:36

    using su forces the use of a shared password, which is what i want to avoid.

    AllowUsers says in the documentation:
    “If specified, login is allowed only for user names that match one of the patterns.”

    that means ALL OTHER users will be blocked, which is not desired either. i need something that allows me to say: allow any users except root from anywhere, and root only from localhost.

    there may be a way to combine AllowUsers and AllowGroups, but the docs say nothing about how those two would interact.

  • eMBee Aug 2, 2006 @ 13:38

    Planet Malaysia: for rsync you would want to allow root specificly for the host that you are synchronizing with.

  • 🐧 nixCraft Aug 2, 2006 @ 14:56


    Have you evaluated or considered sudo option? I use sudo extensively here. Although it is not 100% perfect but better than sharing root password. It also log down all failed (or command access) messages. Sudo is your best option, IMPO.

    Let me know if you are aware of any other tools or methods….

  • 🐧 nixCraft Aug 2, 2006 @ 14:58

    Planet Malaysia, follow emBee’s suggestion or add user to group grant necessary file level permissions

  • 🐧 nixCraft Aug 2, 2006 @ 15:04

    You need to configure PAM login access control tables. These tables will give you desired effect i.e. allow any users except root from anywhere, and root only from localhost (just like iptables).

    There is also a iptables module which attempts to match various characteristics of the packet creator (both INPUT and OUTPUT chain) but it is badly broken and it may not work on SMP system at all.

    I will post more info about login access control tables soon. See URL:

  • eMBee Aug 2, 2006 @ 23:48

    i did a few quick tests on the interaction of AllowUsers and AllowGroups and it seems that they can’t really be used together. when i set:

    AllowUsers: root@localhost
    AllowGroups: users

    the result was that noone could login, even adding root to the group users didn’t help.

  • eMBee Aug 3, 2006 @ 0:03

    LinuxTitli: using the users password for root access is not really good either. if some users account is compromized (because someone managed to get at the users password), then root is automaticly compromized as well.

    i look forward to try the suggestions in nixcrafts new article soon.

  • steve Jul 20, 2007 @ 6:42

    Dear all,

    how can i restrict a user to view others folder except his own folder after login?



  • sobas Sep 17, 2007 @ 7:23

    PermitRootLogon no

    Above denies root to login remotely but is able to login locally on the console.

    Use sudo to give access to sys admins.

  • ramsam Jul 16, 2008 @ 16:45

    OS: uBuntu 7.10

    I tried adding AllowUsers and restarting the sshd server but it still allows other users to ssh.
    It does not restrict users too… I even tried DenyUsers nothing works…. Need help.

    Thank you.

  • jose antonio Nov 16, 2008 @ 0:05

    Thank you very much!

  • milegrin Aug 14, 2009 @ 8:34


    Like eMBee, I am trying to deny root login from everywhere EXCEPT a specific host which is used to run automated remote tasks as root through ssh using keys.

    I have tried combinations AllowUser, DenyUsers to no avail.
    sshd_config takes preference over ssh_config so host definitions get overridden by the sshd_config entry “PermitRootLogin no”

    Using PAM restrictions is not really an option as this is an AIX box.

    Any idea as too how to achieve this would be greatly appreciated!
    – Michael

  • LinuxLuser Aug 27, 2009 @ 4:24

    eMBee / milegrin,

    Your best option may well just be a seperate sshd process that listens on a different port, that only allows root access. I would combine that with iptables (or other firewall) to only accept incoming connections to your second sshd port from your known/allowed hosts. Then, just update your automated scrips to connect to your non-standard port. Not too bad, considering that once you get it set up, it should run forever. Any localhost root users should be smart enough to accomodate the non-standart port assignment.


  • Daniel Reinhardt Dec 1, 2009 @ 12:42

    For those of you who want to enable root access to multiple people then setup SUDO and give people sudo access via sudoers file. This way you can limit what each sudo user does.

  • milegrin Dec 1, 2009 @ 21:16

    sudo is already in place for standard OS & application admins. Direct root SSH is required for AIX’s CSM or “Cluster Server Manager” which essentially allows me to run a command fromt eh CSM server on all servers or a specific server and I use it extensively for various reporting scripts, security and other functions but it requires root ssh.

    I have yet to find a decent working solution that does not rely on multiple instances or external dependencies (eg PAM) but I have it can be done however how is another animal completely.

    Thanx again for the advice

  • sahab Dec 30, 2009 @ 17:22

    Hi All
    How can I limit the user one time ssh login in freebsd 7.2, I have added below entry in @username – maxlogins 1

    This method works with ubuntu linux. Not in Freebsd,

    Any idea for resolving

  • Andreas Jun 22, 2010 @ 9:27

    put into sshd_config following line, than you are able to root login with certs, but not with password:

    PermitRootLogin without-password

  • DarkFader Jul 20, 2010 @ 23:18

    Match Address
    PermitRootLogin without-password

    Yes, you can do that. It seems to work somewhat although it still asks for a password from elsewhere.
    Now I can have my “alias sshdo=’ssh root@localhost'” combined with ssh-agent 🙂

  • suzuki Sep 26, 2010 @ 9:29

    I tried editing sshd_config with AllowUsers root. but all of users can ssh to configured host. I tried with DenyUsers too, but that is not working too. why?
    what i missed?

    thanks any help

  • Rashid May 14, 2011 @ 10:06

    thanks very helpful. i block icmp on my server through this.


  • Lhavanya Feb 6, 2013 @ 6:55

    whether possible to add the same user name in allow group as well as deny group?

    if yes which takes more preference ? And how it work?

    Anybody know please help.

  • Ismael Rodriguez Oct 23, 2014 @ 18:40

    I need to configure my ssh server to accept my students to log in and make some scripting but i have a problem, the guys start to learn how to kill the proccess of each other and they sometimes shutdown the server. I want to know if there is a way to block or retrict the execution of “kill” “killall” “shutdown” “reboot” etc commands?

    Thanks for the help

  • Kevin Delaney Jan 20, 2016 @ 2:13

    I fear that you placed the word “only” in the wrong place in the sentence:

    “This directive is opposite of DenyUsers directive i.e. user1 and user2 are _only_ allowed to log in into the server.”

    In the above sentence the word “only” modifies the verb “allowed.” Your sentence implies a restriction on where user1 and user2 can log in. They can _only_ log into the server. They cannot log in anywhere else.

    I think you meant: “This directive is opposite of DenyUsers directive i.e. only user1 and user2 are allowed to log in into the server.”

    Moving the word “only” from before “allowed” to before “user1” might clarify your post.

  • Kevin Delaney Jan 20, 2016 @ 2:20

    If you really want to make the post clear. You might say affirmatively:

    “only user1 and user2 can log in. Everyone else is denied.”

    I suspect that the people who are reading this post from Google are most interested in figuring out how to deny SSH access. The primary reason people would write AllowUser in the configuration is because they want to deny SSH access to every account which is not in the list. (Considering the number of brute force SSH attacks taking place these days, this is not an uncommon request.)

  • Thomas Könning Feb 24, 2016 @ 12:00


    does someone know, if these directives can take ldap users or groups as argument?
    I am not sure, if this is possible, but I have doubts about that.


Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum