19 comment

  1. Weird! I added “account required pam_access.so” into “/etc/pam.d/sshd” and modify “/etc/security/access.conf” to
    “-:ALL EXCEPT root:” but I still managed ssh login from other IP Address(e.g:,

  2. I found a solution:
    vi /etc/security/access.conf and added this 2 lines
    – : root : ALL
    + : root :
    and save.

  3. You state that one should edit /etc/pam.d/sshd to enable the access.conf file. But this is not really what you should advise. What you should say is that one has to edit /etc/pam.d/ssh and add a line forcing usage of /etc/security/access.conf. If one just hacks on /etc/pam.d/sshd then anyone can still login since you have not configured PAM access.conf!

  4. That’s because pam_access scans access.conf for the first entry that matches the (user, host) combination. Your line does not match any address except, so you have denied all users except root from logging in from The line does not effect connections from any other host.

  5. How should this (fairly obvious, common) restriction be implemented on systems which do not use PAM?

    I’m quite disappointed with the OpenSSH dev team for this: A multitude of other Allow/Deny mechanisms have supported this kind of behaviour for longer than I’ve been alive. Why the great leap backwards?

  6. @Thorne

    Actually, OpenSSH does support a multitude of Allow/Deny mechanisms, though I believe they are all ANDed together. Thus, obtaining the behavior described in the intro to this page is not possible with OpenSSH alone. Here are the Allow/Deny mechanisms supported by OpenSSH.


  7. How do you edit the access line to accept a group name with a space in it?:
    -:ALL EXCEPT Domain Users :ALL seems to read the groups as Domain and Users. adding “quotes” didn’t work either.

  8. I found that the order of entries in /etc/pam.d/sshd matters. Line “account required pam_access.so” must be prepended, not appended to the end of the file. It must appear before the other “account” lines. Otherwise great guide – thanks dude!

  9. Thanks for the info! Don’t forget to add :

    + : root : localhost.locadomain cron crond LOCAL

    Otherwise, your cronjons will not work.

  10. This message is not really friendly for user when the don’t access :
    “Connection closed by xxx.xxx.xx.xx”

    Is there any way to tune the denied access message ?

    Something like : “access denied for user joe from host xxx.xxx.xxx.xxx” for example ?

    1. It works for me, but is there any way to tune the denied access message when a user is not allowed to connect ?

      Something like : “access denied for user joe from host xxx.xxx.xxx.xxx” for example instead of the brutal “Connection closed by xxx.xxx.xx.xx”


  11. How do I configure access.conf so that the following rule is applied? :

    Allow the user dia to connect from 192.152.100.
    Deny the user sim to connect from 192.152.100.
    Particularity : both the users dia (uid = 8389753 ) and sim (uid = 500) belong to the group sim (gid : 500)
    Yes, the user and group sim have the same name and the same id.

    With the follwing syntax,
    – : sim : 192.152.100.
    the user sim is denied, as well as dia (because dia belongs to the group sim). access.conf considers sim as being both the user and group.

    How do I specify that I want to deny the user sim, but not the users who belong to the group sim?

    1. @Maddie

      You simply need to specify ‘dia’ first and you will get your desired result. The access.conf uses the first entry that matches the (user, host) combination.

      Follow this syntax,
      + : dia :
      – : sim :

      Quote from access.conf man: “When someone logs in, the file access.conf is scanned for the first entry that matches the (user, host) or (user, network/netmask) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.”

    Have a question? Post it on our forum!