Enable or disable SSH for specific users or user groups on Linux

Because of your company's standards, you may only allow some people to access the Linux system. Or you may only be able to allow users in a few user groups to access the Linux system. So how to achieve such requirements? What is the best way? How to use a simple method to achieve it?

Yes, we will have many ways to implement it. But we should use a simple and easy method. For the sake of simplicity and ease, we can use / etc / SSH / sshd_ The config file is modified as necessary. In this article, we will show you the detailed steps to implement the requirements.

Why should we do this? For safety reasons. You can visit this link to get more information about how to use openSSH.

What is SSH?

The full name of openssh is OpenBSD Secure Shell. Secure Shell (SSH) is a free and open source network tool, which allows us to safely access remote hosts in an insecure network by using Secure Shell (SSH) protocol.

It adopts client server architecture (C/S) and has the functions of user identity authentication, encryption, file transfer between computer and tunnel and so on.

We can also use traditional tools such as telnet or rcp, but these tools are not secure because they use plaintext to transmit passwords when performing any action.

How to allow users to use SSH in Linux?

We can enable ssh access for the specified user or user list by following. If you want to allow multiple users, you can separate them with spaces in the same line when adding users.

To achieve this, simply append the following values to / etc/ssh/sshd_config file. In this example, we will allow user user3 to use ssh.

# echo "AllowUsers user3" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i allowusers
AllowUsers user3

That's it. Now you just need to restart the ssh service and witness the miracle. (the following two commands have the same effect. Please select one to execute according to your service management method)

# systemctl restart sshd
 or
# service restart sshd

Next, simply open a new terminal or session and try to access the Linux system as a different user. Yes, the user2 user is not allowed to log in Using SSH and will get the following error message.

# ssh user2@192.168.1.4
user2@192.168.1.4's password: 
Permission denied, please try again.

Output:

Mar 29 02:00:35 CentOS7 sshd[4900]: User user2 from 192.168.1.6 not allowed because not listed in AllowUsers
Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user user2 [preauth]
Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (user2)
Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user2
Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user user2 from 192.168.1.6 port 42568 ssh2

At the same time, user user3 is allowed to log in to the system because he is in the list of allowed users.

# ssh user3@192.168.1.4
user3@192.168.1.4's password: 
[user3@CentOS7 ~]$

Output:

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for user3 from 192.168.1.6 port 42590 ssh2
Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user user3 by (uid=0)

How to prevent users from Using SSH in Linux?

Through the following content, we can configure the specified user or user list to disable ssh. If you want to disable multiple users, you can separate them with spaces in the same line when adding users.

To do this, simply append the following values to / etc/ssh/sshd_config file. In this example, we will disable user user1 from Using ssh.

# echo "DenyUsers user1" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i denyusers
DenyUsers user1

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
 live
# service restart sshd

Next, simply open a new terminal or session and try to access the Linux system with the disabled user identity. Yes, here user1 is in the disabled list. Therefore, when you try to log in, you will get the error message shown below.

# ssh user1@192.168.1.4
user1@192.168.1.4's password: 
Permission denied, please try again.

Output:

Mar 29 01:53:42 CentOS7 sshd[4753]: User user1 from 192.168.1.6 not allowed because listed in DenyUsers
Mar 29 01:53:42 CentOS7 sshd[4753]: input_userauth_request: invalid user user1 [preauth]
Mar 29 01:53:46 CentOS7 unix_chkpwd[4755]: password check failed for user (user1)
Mar 29 01:53:46 CentOS7 sshd[4753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 01:53:48 CentOS7 sshd[4753]: Failed password for invalid user user1 from 192.168.1.6 port 42522 ssh2

How to allow user groups to use SSH in Linux?

Through the following, we can allow a specified group or groups to use ssh.

If you want to allow multiple groups to use ssh, you need to separate them with spaces in the same line when adding user groups.

To do this, simply append the following values to / etc/ssh/sshd_config file. In this example, we will allow the 2G Admin Group to use ssh.

# echo "AllowGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# cat /etc/ssh/sshd_config | grep -i allowgroups
AllowGroups 2g-admin

Run the following command to see which users belong to this user group.

# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
 or
# service restart sshd

Yes, user1 is allowed to log in to the system because user user1 belongs to the 2G Admin Group.

# ssh user1@192.168.1.4
user1@192.168.1.4's password: 
[user1@CentOS7 ~]$

Output:

Mar 29 02:10:21 CentOS7 sshd[5165]: Accepted password for user1 from 192.168.1.6 port 42640 ssh2
Mar 29 02:10:22 CentOS7 sshd[5165]: pam_unix(sshd:session): session opened for user user1 by (uid=0)

Yes, user2 is allowed to log in to the system because user user2 also belongs to the 2G Admin Group.

# ssh user2@192.168.1.4
user2@192.168.1.4's password: 
[user2@CentOS7 ~]$

Output:

Mar 29 02:10:38 CentOS7 sshd[5225]: Accepted password for user2 from 192.168.1.6 port 42642 ssh2
Mar 29 02:10:38 CentOS7 sshd[5225]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

When you try to log in to the system with other users who are not in the allowed group, you will get the following error message.

# ssh ladmin@192.168.1.4
ladmin@192.168.1.4's password: 
Permission denied, please try again.

Output:

Mar 29 02:12:36 CentOS7 sshd[5306]: User ladmin from 192.168.1.6 not allowed because none of user's groups are listed in AllowGroups
Mar 29 02:12:36 CentOS7 sshd[5306]: input_userauth_request: invalid user ladmin [preauth]
Mar 29 02:12:56 CentOS7 unix_chkpwd[5310]: password check failed for user (ladmin)
Mar 29 02:12:56 CentOS7 sshd[5306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=ladmin
Mar 29 02:12:58 CentOS7 sshd[5306]: Failed password for invalid user ladmin from 192.168.1.6 port 42674 ssh2

How to prevent user groups from Using SSH in Linux?

Using the following, we can disable the use of ssh for a specified group or groups.

If you want to disable ssh for multiple user groups, you need to separate them in the same line when adding user groups.

To achieve this, simply append the following values to / etc/ssh/sshd_config file.

# echo "DenyGroups 2g-admin" >> /etc/ssh/sshd_config

You can run the following command to check whether the addition is successful again.

# # cat /etc/ssh/sshd_config | grep -i denygroups
DenyGroups 2g-admin

# getent group 2g-admin
2g-admin:x:1005:user1,user2,user3

That's it. Now you just need to restart the ssh service and witness the miracle.

# systemctl restart sshd
 or
# service restart sshd

Yes, user1 is not allowed to log in to the system because he is a member of the 2G admin user group. He belongs to the ssh disabled group.

# ssh user1@192.168.1.4
user1@192.168.1.4's password: 
Permission denied, please try again.

Output:

Mar 29 02:17:32 CentOS7 sshd[5400]: User user1 from 192.168.1.6 not allowed because a group is listed in DenyGroups
Mar 29 02:17:32 CentOS7 sshd[5400]: input_userauth_request: invalid user user1 [preauth]
Mar 29 02:17:38 CentOS7 unix_chkpwd[5402]: password check failed for user (user1)
Mar 29 02:17:38 CentOS7 sshd[5400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=user1
Mar 29 02:17:41 CentOS7 sshd[5400]: Failed password for invalid user user1 from 192.168.1.6 port 42710 ssh2

All users except the 2G admin user group can log in to the System Using ssh. For example, users such as ladmin are allowed to log in to the system.

# ssh ladmin@192.168.1.4
ladmin@192.168.1.4's password: 
[ladmin@CentOS7 ~]$

Output:

Mar 29 02:19:13 CentOS7 sshd[5432]: Accepted password for ladmin from 192.168.1.6 port 42716 ssh2
Mar 29 02:19:13 CentOS7 sshd[5432]: pam_unix(sshd:session): session opened for user ladmin by (uid=0)

Posted on Mon, 22 Nov 2021 10:03:45 -0500 by Gazan