How can one allow or deny an ssh login for a specific user(s) or group(s) on an sshd server?
(I realize SE has similar questions, but not I could find any that address this specific point. All others I found appear to conflate other scenarios.)
How can one allow or deny an ssh login for a specific user(s) or group(s) on an sshd server?
(I realize SE has similar questions, but not I could find any that address this specific point. All others I found appear to conflate other scenarios.)
To deny a user ssh login, add this to the end of your sshd config file (/etc/ssh/sshd_config
in Linux/Unix/BSD):
DenyUsers theusername
For groups:
DenyGroups thegroupname
Then restart the sshd
service. The following works on Ubuntu 18.04:
systemctl restart sshd
One can add a space-separated list of user or group names, respectively.
The AllowUsers
and AllowGroups
directives do the opposite.
Excerpt from the sshd_config man page:
DenyGroups
This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
DenyUsers
This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
Another way to do it is by using access.conf.
First, you need to enable pam_access in /etc/pam.d/sshd by adding the following line:
required pam_access.so
Then you can edit /etc/security/access.conf, and remove access to the required user(s)/group(s) by adding the following line for each one:
-:<user or group>:ALL