Enable or disable SSH for a specific user or user group

What is SSH?

The full name of openssh is OpenBSD Secure Shell. Secure Shell (SSH) is a free and open-source network tool, which enables us to access remote hosts in an insecure network by using Secure Shell (SSH) protocol.

It adopts client server architecture (C/S), which has the functions of user identity authentication, encryption, file transfer between computer and tunnel.

We can also use traditional tools such as telnet or rcp, but these tools are not secure because they use plaintext to transfer passwords when they perform any action.

How to allow users to use SSH in Linux?

With the following, we can enable ssh access for the specified users or user list. If you want to allow multiple users, you can separate them with spaces in the same line when you add users.

In order to achieve this, you only need to append the following values to the / etc/ssh/sshd_config file. In this case, we will allow user user3 to use ssh.

# echo "AllowUsers user3" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i allowusers
AllowUsers user3

That's it. Now you just need to restart the ssh service and witness the miracle. (the following two commands have the same effect, please select one to execute according to your service management mode)

# systemctl restart sshd
//or
# service restart sshd

Next, simply open a new terminal or session and try to access the Linux system as a different user. Yes, user 2 is not allowed to log in Using SSH here and will get the error message shown below.

# ssh user2@192.168.1.4
user2@192.168.1.4's password:
Permission denied, please try again.

Output:

Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers
Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth]
Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2)
Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user2
Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2

At the same time user user3 is allowed to log on to the system because he is in the list of allowed users.

# ssh user3@192.168.1.4
user3@192.168.1.4's password:
[user3@CentOS7 ~]$

Output:

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2
Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)

How to prevent users from Using SSH in Linux?

With the following, we can configure the specified user or user list to disable ssh. If you want to disable multiple users, you can separate them with spaces in the same line when adding users.

To do this, simply append the following values to the / etc/ssh/sshd_config file. In this example, we will disable user user1 to use ssh.

# echo "DenyUsers user1" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i denyusers
DenyUsers user1

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
//or
# service restart sshd

Next, simply open a new terminal or session and try to access the Linux system as a disabled user. Yes, the user1 user is in the disable list here. So when you try to log in, you will get the error message shown below.

# ssh user1@192.168.1.4
user1@192.168.1.4's password:
Permission denied, please try again.

Output:

Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers
Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth]
Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1)
Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2

How to allow user groups to use SSH in Linux?

With the following, we can allow ssh to be used by a specified group or groups.

If you want to allow multiple groups to use ssh, you need to separate them in the same row when adding user groups.

To achieve this, simply append the following values to the / etc/ssh/sshd_config file. In this example, we will allow the 2G Admin Group to use ssh.

# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i allowgroups
AllowGroups 2g-admin

Run the following command to see which users belong to this user group.

# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
//or
# service restart sshd

Yes, user1 is allowed to log on to the system because user user1 belongs to the 2G Admin Group.

# ssh user1@192.168.1.4
user1@192.168.1.4's password:
[user1@CentOS7 ~]$

Output:

Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2
Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

Yes, user2 is allowed to log on to the system because user user2 also belongs to the 2G Admin Group.

# ssh user2@192.168.1.4
user2@192.168.1.4's password:
[user2@CentOS7 ~]$

Output:

Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2
Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

When you try to use other users who are not in the allowed group to log in to the system, you will get the following error message.

# ssh ladmin@192.168.1.4
ladmin@192.168.1.4's password:
Permission denied, please try again.

Output:

Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups
Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth]
Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin)
Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=ladmin
Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2

How to prevent user groups from Using SSH in Linux?

With the following, we can disable ssh for the specified group or groups.

If you want to disable ssh for multiple user groups, you need to separate them in the same row when adding user groups.

To achieve this, you need only append the following values to the / etc/ssh/sshd_config file.

# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i denygroups
DenyGroups 2g-admin
# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
//or
# service restart sshd

Yes, user1 is not allowed to log on to the system because he is a member of the 2G admin user group. He belongs to the ssh disabled group.

# ssh user1@192.168.1.4
user1@192.168.1.4's password:
Permission denied, please try again.

Output:

Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups
Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth]
Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1)
Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2

Except for the 2G admin user group, all users can use ssh to log in to the system. For example, users such as ladmin are allowed to log on to the system.

# ssh ladmin@192.168.1.4
ladmin@192.168.1.4's password:
[ladmin@CentOS7 ~]$

Output:

Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2
Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0)

via: https://www.2daygeek.com/allow-deny-enable-disable-ssh-access-user-group-in-linux/

Tags: Operation & Maintenance ssh Session Linux Permission denied

Posted on Tue, 24 Mar 2020 03:22:07 -0400 by sxiix