How to enable or disable SSH for a specific user or user group in Linux

Due to your company standards, you may only allow certain people access to your Linux system. Or you might be able to allow only users in a few groups to access your Linux system. So how to achieve such a requirement? What is the best way? How to use a simple method to achieve it?

Yes, there are many ways to do it. But we should use simple and easy methods. In order to accomplish this goal simply and easily, we can do so by making necessary changes to the /etc/ssh/sshd_config file. In this article we will show you the detailed steps to achieve your requirements.

Why do we do this? It is for safety reasons. You can visit this link to get more information about the use of openSSH.

What is SSH?

openssh stands for OpenBSD Secure Shell. Secure Shell（ssh） is a free and open source network tool that allows us to securely access remote hosts in an insecure network by using the Secure Shell (SSH) protocol.

It uses a client-server architecture (C/S) and has functions such as user authentication, encryption, and file transfer between computers and tunnels.

We can also do this with traditional tools like telnet or rcp, but these tools are not secure because they transmit the password in clear text while performing any action.

How to Allow Users to Use SSH in Linux?

With the following we can enable ssh access for a specified user or list of users. If you want to allow multiple users, you can add them on the same line by separating them with spaces.

To achieve this just append the following values ​​to /etc/ssh/sshd_config file. In this example, we will allow user3 to use ssh.

# echo "AllowUsers user3" >> /etc/ssh/sshd_config

You can run the following command to check if it is added successfully.

# cat /etc/ssh/sshd_config | grep -i allowusers AllowUsers user3

That's it, now just restart the ssh service and see the magic happen. (The following two commands have the same effect. Please choose one according to your service management method.)

# systemctl restart sshd
or# service restart sshd

It's easy to open a new terminal or session and try accessing your Linux system as a different user. Yes, here user2 is not allowed to log in using SSH and will get the error message shown below.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth] Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2) Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user2 Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2

At the same time user3 is allowed to log into the system because he is in the list of allowed users.

# ssh [email protected]
[email protected]'s password: 
[user3@CentOS7 ~]$

Output:

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2 Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)

How to block users from using SSH in Linux?

With the following content, we can configure a specified user or user list to disable ssh. If you want to disable multiple users, you can add them on the same line by separating them with spaces.

To achieve this just append the following values ​​to /etc/ssh/sshd_config file. In this example, we will disable ssh access for user user1.

# echo "DenyUsers user1" >> /etc/ssh/sshd_config

You can run the following command to check if it is added successfully.

# cat /etc/ssh/sshd_config | grep -i denyusers
DenyUsers user1

That's it, now just restart the ssh service and see the magic happen.

# systemctl restart sshd
# service restart sshd

It is easy to open a new terminal or session and try to access the Linux system using the disabled user. Yes, here user1 user is in the banned list. So, when you try to log in, you will get the error message as shown below.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth] Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1) Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1 Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2

How to allow user groups to use SSH in Linux?

With the following, we can allow a specified group or multiple groups to use ssh.

If you want to allow multiple groups to use ssh then you need to separate the groups on the same line with spaces.

To achieve this just append the following values ​​to /etc/ssh/sshd_config file. In this example, we will allow the 2g-admin group to use ssh.

# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check if it is added successfully.

# cat /etc/ssh/sshd_config | grep -i allowgroups
AllowGroups 2g-admin

Run the following command to view the users who belong to this user group.

# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it, now just restart the ssh service and see the magic happen.

# systemctl restart sshd
or# service restart sshd

Yes, user1 is allowed to log into the system because user user1 belongs to the 2g-admin group.

# ssh [email protected]
[email protected]'s password: 
[user1@CentOS7 ~]$

Output:

Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2
Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

Yes, user2 is allowed to log into the system because user user2 also belongs to the 2g-admin group.

# ssh [email protected]
[email protected]'s password: 
[user2@CentOS7 ~]$

Output:

Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2 Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

When you try to log in to the system using other users who are not in the allowed groups, you will get the error message as shown below.

# ssh [email protected] [email protected]'s password: Permission denied, please try again.

Output:

Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth] Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin) Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=ladmin Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2

How to block a group of users from using SSH in Linux?

With the following content, we can disable the use of ssh by a specified group or multiple groups.

If you want to disable multiple groups from using ssh, you need to add the groups on the same line, separated by spaces.

To achieve this just append the following values ​​to /etc/ssh/sshd_config file.

# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check if it is added successfully.

# # cat /etc/ssh/sshd_config | grep -i denygroups
DenyGroups 2g-admin
# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it, now just restart the ssh service and see the magic happen.

# systemctl restart sshd
or# service restart sshd

Yes user1 is not allowed to log into the system because he is a member of 2g-admin user group. He belongs to the group that has ssh disabled.

# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.

Output:

Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth] Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1) Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=user1 Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2

All users except the 2g-admin user group can log in to the system using ssh. For example, users such as ladmin are allowed to log into the system.

# ssh [email protected]
[email protected]'s password: 
[ladmin@CentOS7 ~]$

Output:

Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2 Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0) via: https://www.2daygeek.com/allow-deny-enable-disable-ssh-access-user-group-in-linux/

Summarize

This is the end of this article on how to enable or disable SSH for specific users or user groups on Linux. For more information about SSH for Linux users or user groups, please search 123WORDPRESS.COM’s previous articles or continue browsing the related articles below. I hope you will support 123WORDPRESS.COM in the future!