OpenSSH has two directives for allowing and denying ssh user access. You can use the following config for restricting which users can log in to your Linux or Unix or BSD bases server.
Restricting which users can log in
The syntax is:
DenyUsers user1 user2 user3
Use DenyUsers to block user login. You can use wild cards as well as [email protected] (user1 is not allowed to login from cyberciti.com host) pattern.
DenyGroups group1 group2
A list of group names, if user is part of primary of supplementary group login access is denied. You can use wildcards. Please note that you cannot use a numeric group or username ID. If these directives are not used, default is to allow everyone.
Allowing selected users or group explicitly to log in
The syntax is:
AllowUsers user1 user2
This directive is opposite of DenyUsers directive i.e. user1 and user2 are only allowed to log in into the server.
AllowGroups group1 group2
This directive is opposite of DenyGroups directive i.e. members of group1 and group2 users are only allowed to log in into the server.
To help secure your OpenSSH based server you can be explicitly allowing users sai and vivek to log in via SSH. Edit the file /etc/ssh/sshd_config as the super user:
sudo vi /etc/ssh/sshd_config
Add/edit/append the following line:
AllowUsers sai vivek
Save and close the file. Next, restart your SSH daemon service:
## Ubuntu/debian user ## sudo service ssh restart # only for systemd based Ubuntu/Debian 8.x+ users # sudo systemctl restart ssh #### RHEL/CentOS/Fedora Linux user type #### sudo service sshd restart # only for systemd based RHEL/CentOS v7+ users # sudo systemctl restart sshd
Restricting root user
For security reason you should always block access to root user and group on a Linux or Unix-like systems. First, make sure at least one user is allowed to use ‘su -‘ or ‘sudo’ command on the server. Open the /etc/ssh/sshd_config file, enter:
# vi /etc/ssh/sshd_config
$ sudo vi /etc/ssh/sshd_config
Append following names (directives):
DenyUsers root DenyGroups root
Also make sure following set in sshd_config:
Save the file and restart the sshd. This is a secure setup and you are restricting the users allowed to access the system via SSH with four above directives.
- Top 20 OpenSSH Server Best Security Practices
- Please note that if you want to deny or allow access to large number of users consider SSH PAM configuration. This is ideal for ISPs and Web hosting service providers. See PAM config that allows you to store usernames using text files for more info.