OpenSSH Root user account restriction – revisited

One of our article generated few more question regarding root login issues over ssh session. One of reader (eMBee) asks, “I need something that allows me to say: allow any users except root from anywhere, and root only from localhost. (over ssh session)”.

PAM offers very powerful authentication control. You need to use the pam_access PAM module, which is mainly for access management. It provides login access control based on

  • Login names
  • Host or domain names
  • Internet addresses or network IP numbers
  • Terminal line names etc

Why pam_access matters?

On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.

How do I configure pam_access?

You need to edit following files:

  1. /etc/pam.d/sshd – Linux PAM configuration file.
  2. /etc/security/access.conf – By default rules for access management are taken from configuration this file. When someone logs in, the entry in this scanned and matched against rule. You can specify whether the login will be accepted or refused to user. General syntax is as follows:
    permission : username: origins


  • permission : Permission field should be a “+” (access granted) or “-” (access denied)
  • username : Linux system username/login name such as root, vivek etc. You can also specify group names. You can also use special keywod ALL (to match all username).
  • origins : It is a list of one ore more tty names, host name, IP address, domain names that begin with . or special key words ALL or LOCAL

Let us say you want to allow user root and vivek login from IP address only.

Open file /etc/security/access.conf

# vi /etc/security/access.conf

Append following line:

-: ALL EXCEPT root vivek:

Save the file and Open /etc/pam.d/sshd file :

# vi /etc/pam.d/sshd

Append following entry

account required

Save and close the file.

Now ssh will only accept login access from root/vivek from IP address Now if user vivek (or root) try to login ssh server from IP address he will get
Connection closed by‘; error and following log entry should be written to your log file:

# tailf /var/log/message


Aug  2 19:02:39 web02 pam_access[2091]: access denied for user `vivek' from `'

Remember, as soon as you save changes to /etc/security/access.conf, they are applied by PAM configuration. So be careful when writing rules.

More examples

a) I need something that allows me to say: allow any users except root from anywhere, and root only from localhost.



-:root:ALL EXCEPT localhost

b) Deny network and local login to all users except for user root and vivek:

-:ALL EXCEPT root vivek:ALL

c) Only allow root user login from network:

+ : root :

Please note that this kind of restriction can be applied to any PAM aware application/service such as ftpd, telnet etc.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 19 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
19 comments… add one
  • Planet Malaysia Aug 3, 2006 @ 3:56

    Weird! I added “account required” into “/etc/pam.d/sshd” and modify “/etc/security/access.conf” to
    “-:ALL EXCEPT root:” but I still managed ssh login from other IP Address(e.g:,

  • Planet Malaysia Aug 3, 2006 @ 4:53

    I found a solution:
    vi /etc/security/access.conf and added this 2 lines
    – : root : ALL
    + : root :
    and save.

  • jeremiah Aug 30, 2006 @ 14:02

    You state that one should edit /etc/pam.d/sshd to enable the access.conf file. But this is not really what you should advise. What you should say is that one has to edit /etc/pam.d/ssh and add a line forcing usage of /etc/security/access.conf. If one just hacks on /etc/pam.d/sshd then anyone can still login since you have not configured PAM access.conf!

  • jeremiah Aug 30, 2006 @ 14:03

    You have to modify /etc/pam.d/ssh not /etc/pam.d/sshd

  • 🐧 nixCraft Aug 30, 2006 @ 14:31

    The file name changes from one Linux distro to another. So it may be ssh or sshd.

  • Matthew Feinberg Oct 3, 2006 @ 18:26

    That’s because pam_access scans access.conf for the first entry that matches the (user, host) combination. Your line does not match any address except, so you have denied all users except root from logging in from The line does not effect connections from any other host.

  • Thorne Lawler Jan 14, 2009 @ 2:52

    How should this (fairly obvious, common) restriction be implemented on systems which do not use PAM?

    I’m quite disappointed with the OpenSSH dev team for this: A multitude of other Allow/Deny mechanisms have supported this kind of behaviour for longer than I’ve been alive. Why the great leap backwards?

  • Khandakar Ashfaqur Rahman Mar 19, 2009 @ 5:59

    Good Solution.


  • James Jun 4, 2009 @ 20:52


    Actually, OpenSSH does support a multitude of Allow/Deny mechanisms, though I believe they are all ANDed together. Thus, obtaining the behavior described in the intro to this page is not possible with OpenSSH alone. Here are the Allow/Deny mechanisms supported by OpenSSH.


  • Max Jun 24, 2009 @ 23:50

    How do you edit the access line to accept a group name with a space in it?:
    -:ALL EXCEPT Domain Users :ALL seems to read the groups as Domain and Users. adding “quotes” didn’t work either.

  • Peter L Dec 21, 2009 @ 23:19

    I found that the order of entries in /etc/pam.d/sshd matters. Line “account required” must be prepended, not appended to the end of the file. It must appear before the other “account” lines. Otherwise great guide – thanks dude!

  • Solaris Apr 16, 2010 @ 9:06

    You can use
    AllowUsers vivek@ root@ user2

    in /etc/ssh/sshd_config

    to allow user2 from anywhere and vivek and root from only that ip

    $ sudo /etc/init.d/ssh reload

  • danny Dec 1, 2011 @ 22:51

    Thanks for the info! Don’t forget to add :

    + : root : localhost.locadomain cron crond LOCAL

    Otherwise, your cronjons will not work.

  • olivier Jan 11, 2012 @ 22:03

    This message is not really friendly for user when the don’t access :
    “Connection closed by”

    Is there any way to tune the denied access message ?

    Something like : “access denied for user joe from host” for example ?

    • Olivier Jan 24, 2012 @ 7:55

      It works for me, but is there any way to tune the denied access message when a user is not allowed to connect ?

      Something like : “access denied for user joe from host” for example instead of the brutal “Connection closed by”


  • Feb 20, 2012 @ 17:26

    Hello, i have translated this topic to Lithuanian, and will post it at 2012-February-25th at 10 (AM) in GMT +0 time (i think) at url: < it will have a link to this post.

    If author will say that he do not want, i will not post it. but let me know, by email or reply here.


  • Maddie Sep 12, 2012 @ 0:21

    How do I configure access.conf so that the following rule is applied? :

    Allow the user dia to connect from 192.152.100.
    Deny the user sim to connect from 192.152.100.
    Particularity : both the users dia (uid = 8389753 ) and sim (uid = 500) belong to the group sim (gid : 500)
    Yes, the user and group sim have the same name and the same id.

    With the follwing syntax,
    – : sim : 192.152.100.
    the user sim is denied, as well as dia (because dia belongs to the group sim). access.conf considers sim as being both the user and group.

    How do I specify that I want to deny the user sim, but not the users who belong to the group sim?

    • Jason Barnett Sep 27, 2012 @ 18:47


      You simply need to specify ‘dia’ first and you will get your desired result. The access.conf uses the first entry that matches the (user, host) combination.

      Follow this syntax,
      + : dia :
      – : sim :

      Quote from access.conf man: “When someone logs in, the file access.conf is scanned for the first entry that matches the (user, host) or (user, network/netmask) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.”

  • Marios Zindilis Apr 23, 2013 @ 11:26

    Thank you very much for this article!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum