How to Enable/Disable SSH access for a particular user or user group in Linux

Based on your organization standard policy, you may need to allow only the list of users or user groups who are allowed to access the Linux system.

How to achieve this? Which is the simple and best way?

There are many ways available to perform this.However, we need to go with simple and easy method.

It can be done by making the necessary changes in /etc/ssh/sshd_config file.

In this article we will show you, how to perform this in details.

Why are we doing this? due to security reason. Navigate to the following URL to know more about openSSH usage.

What Is SSH?

openssh stands for OpenBSD Secure Shell. Secure Shell (ssh) is a free open source networking tool which allow us to access remote system over an unsecured network using Secure Shell (SSH) protocol.

It’s a client-server architecture. It handles user authentication, encryption, transferring files between computers and tunneling.

These can be accomplished via traditional tools such as telnet or rcp, these are insecure and use transfer password in cleartext format while performing any action.

How to Allow a User to access SSH in Linux?

We can allow/enable the ssh access for a particular user or list of the users using the following method.

If you would like to allow more than one user then you have to add the users with space in the same line.

To do so, just append the following value into /etc/ssh/sshd_config file.

In this example, we are going to allow ssh access for user3.

# echo "AllowUsers user3" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i allowusers
AllowUsers user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd

# service restart sshd

Simply open a new terminal or session and try to access the Linux system with different user. For example user2 is not allowed for SSH login and will be getting an error message as shown below.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers
Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth]
Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2)
Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user2
Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2

At the same time user3 is allowed to login into the system because it’s in allowed users list.

# ssh [email protected]
[email protected]'s password: 
[user3@CentOS7 ~]$

Output:

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2
Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)

How To Block Users To Access SSH In Linux?

We can block/disable the ssh access for a particular user or list of the users using the following method.

If you would like to disable more than one user then you have to add the users with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file. In this example, we are going to disable ssh access for user1.

# echo "DenyUsers user1" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i denyusers
DenyUsers user1

It done . Just bounce the ssh service and see the magic.

# systemctl restart sshd

# service restart sshd

Simply open a new terminal or session and try to access the Linux system with blocked user. Yes, user1 is in blocked users list. So, you will be getting an error message as shown below when you are try to login.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers
Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth]
Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1)
Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2

How to Allow user groups to Access SSH in Linux?

We can allow/grant the ssh access for a particular group or list of groups using the following method.

If you would like to allow more than one group then you have to add the groups with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file. In this example, we are going to disable ssh access for 2g-admin group.

# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# cat /etc/ssh/sshd_config | grep -i allowgroups
AllowGroups 2g-admin

Run the following command to know the list of the users belongs to this group.

# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd

# service restart sshd

Yes, user3 is allowed to login into the system because user3  belongs to 2g-admin group.

# ssh [email protected]
[email protected]'s password: 
[user1@CentOS7 ~]$

Output:

Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2
Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

Yes, user2 is allowed to login into the system because user2  belongs to 2g-admin group.

# ssh [email protected]
[email protected]'s password: 
[user2@CentOS7 ~]$

Output:

Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2
Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

When you try to login into the system with other users which are not part of this group then you will be getting an error message as shown below.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups
Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth]
Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin)
Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=ladmin
Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2

How to block user group to Access SSH in Linux?

We can block/disable the ssh access for a particular group or list of groups using the following method.

If you would like to disable more than one group then you need to add the group with space in the same line.

To do so, just append the following value in /etc/ssh/sshd_config file.

# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

You can double check this by running the following command.

# # cat /etc/ssh/sshd_config | grep -i denygroups
DenyGroups 2g-admin
# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That’s it. Just bounce the ssh service and see the magic.

# systemctl restart sshd

# service restart sshd

Yes user3 isn’t allowed to login into the system because  not part of 2g-admin group which is  in Denygroups.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups
Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth]
Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1)
Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2

Anyone can login into the system except 2g-admin group. Hence, ladmin user is allowed to login into the system.

# ssh [email protected]
[email protected]'s password: 
[ladmin@CentOS7 ~]$

Output:

Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2
Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0)

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *