- sshd_config AllowUsers
- 4 Answers 4
- How to restrict or allow ssh only from certain users, groups or hosts in Linux
- Restrict SSH login via root for specific host
- Allow SSH login using passwords only from specific hosts
- Allow SSH from certain users, host and subnet
- Allow SSH login only for a certain group
- 5 thoughts on “How to restrict or allow ssh only from certain users, groups or hosts in Linux”
sshd_config AllowUsers
Unfortunately, when ever the @ is present, it negates the previous parameters and no matter what the order is.
I have two questions; is there an order to which the parameters within the AllowUsers directive are executed and is the logic above even possible?
4 Answers 4
sshd_config man says that the order of processing is:
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
So if the «user1» also has its own group «user1» you can use this configuration:
AllowUsers *@host1 DenyGroups user1 AllowGroups *
Another option is to use negation:
DenyUsers user1@!host1 AllowUsers *@*
One word of caution. Multiple entries on the AllowUsers statement that use the same user in user@host notation, can cause the subsequent entries to not be evaluated. It is more reliable to enter separate AllowUsers statements each with their own user@host entries. I specifically noticed this behavior in Ubuntu 16.04.
The logic above is not possible with just one instance of sshd. However it is possible if you run a second sshd instance (configured to listen on a different port).
Configure the first instance with:
Configure the second instance with:
Tell user1 to connect to the second instance (different port). Tell all other users to connect to the first instance (default port).
NOTE: You could also allow or deny ssh access by using SSH PAM CONFIG (recommended for a large number of users) or with TCP Wrappers but you would need to get the libwrap.a library to make it work with SSH.
If you want to restric access via SSHD CONFIG, you can use these four entries:
AllowUsers AllowGroups DenyUsers DenyGroups
The pattern matching occurs in the following order: DenyUsers,AllowUsers,DenyGroups,AllowGroups. Which means that, for example, if you add a user to both entries (AllowUsers and DenyUsers) this would result in the user being denied no matter the order in which the rules appear in the config script.
To accomplish the 3 restrictions you mention, you could try creating a group sshgroup and configure every user account, except for user1, to be included in the group. Finally you could create a script to add the users in sshgroup to a rule in your sshd_config file that always includes:
AllowUsers user1@host1 user2 user3.
To keep the sshd config file up to date, you could call the script every time a user is created/deleted. Don’t forget to restart the ssh daemon after every change to the config file.
Here you can find a script «pop_user_allow_ssh» that is also trying to generate a user list.
You don’t mention your OS but this is how I did it on AIX. I hope the idea helps.
How to restrict or allow ssh only from certain users, groups or hosts in Linux
How to configure SSH to permit root login only from specific host or IP address? How to configure SSH to permit login only for certain users and/or groups? How to restrict password based logins only to certain users and/or hosts? How to restrict SSH for login via certain users only? How to allow SSH for login via root from certain hosts only?
Restrict SSH login via root for specific host
Here I will show you the steps to restrict ssh for ‘ root ‘ user but only from node2 (10.0.2.31) and ssh as root from all other hosts would be allowed on node3. In my previous article I shared the commands to check and list active ssh connections with examples .
Open your sshd_config file for editing
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'yes' to allow public root login PermitRootLogin yes # Add below content to restrict root login from node2 (10.0.2.31) Match Address 10.0.2.31 PermitRootLogin no
Next exit the editor and restart your sshd services
[root@node3 ~]# systemctl restart sshd
Now from ‘ node2 (10.0.2.31) ‘ I will try to ssh to node3 and as expected it fails
[root@node2 ~]# ssh node3 root@node3's password: Permission denied, please try again. root@node3's password:
If we check the syslog on node3, we will get more information for the cause of ssh failure.
[root@node3 ~]# tail -f /var/log/messages May 01 23:00:09 node3.example.com unix_chkpwd[14005]: password check failed for user (root) May 01 23:00:09 node3.example.com sshd[14003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.31 user=root May 01 23:00:09 node3.example.com sshd[14003]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" May 01 23:00:11 node3.example.com sshd[14003]: Failed password for root from 10.0.2.31 port 41534 ssh2
Allow SSH login using passwords only from specific hosts
To allow SSH login using passwords only from specific hosts, for eg, when enforcing strict SSH host key based login for all users, while making an exception for specific hosts:
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to allow password based login from node2 (10.0.2.31) Match Address 10.0.2.31 PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Now try to do SSH from any other host (other than node2) and observe the result
[root@node3 ~]# tail -f /var/log/messages May 02 19:51:34 node3.example.com sshd[4482]: error: Received disconnect from 10.0.2.2 port 52068:14: No supported authentication methods available [preauth] May 02 19:51:34 node3.example.com sshd[4482]: Disconnected from 10.0.2.2 port 52068 [preauth]
As expected the SSH is not allowed
[root@node2 ~]# ssh root@node3 root@node3's password: Last login: Thu May 2 19:48:16 2019 from 10.0.2.2 [root@node3 ~]#
So, we were successfully able to SSH to our node3 from node2
Observe the messages in syslog on node3
[root@node3 ~]# tail -f /var/log/messages May 02 19:54:01 node3.example.com sshd[4510]: Accepted password for root from 10.0.2.31 port 36304 ssh2 May 02 19:54:01 node3.example.com systemd[1]: Started Session 3 of user root. May 02 19:54:01 node3.example.com sshd[4510]: pam_unix(sshd:session): session opened for user root by (uid=0) May 02 19:54:01 node3.example.com systemd-logind[2775]: New session 3 of user root. May 02 19:54:02 node3.example.com dbus[2764]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) May 02 19:54:02 node3.example.com dbus[2764]: [system] Successfully activated service 'org.freedesktop.problems'
Allow SSH from certain users, host and subnet
To allow SSH login only for user deepak from all hosts in the subnet 10.0.2.* , make the following changes in your sshd_config file
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to allow password based login from subnet 10.0.2.* Match User deepak Address 10.0.2.* PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Next try to ssh as any other user from node2 to node3 , and as expected the SSH is denied
[root@node2 ~]# ssh root@node3 Permission denied (publickey).
Check the syslog for cause of rejection on node3
May 02 20:06:31 node3.example.com sshd[4716]: Connection closed by 10.0.2.31 port 36312 [preauth]
Now try to do SSH as user ‘ deepak ‘ from node2
[root@node2 ~]# ssh deepak@node3 deepak@node3's password: Last login: Mon Feb 25 20:56:05 2019 [deepak@node3 ~]$
Observe the messages in syslog on node3 .
[root@node3 ~]# tail -f /var/log/messages May 02 20:07:12 node3.example.com sshd[4718]: Accepted password for deepak from 10.0.2.31 port 36314 ssh2 May 02 20:07:13 node3.example.com systemd[1]: Created slice User Slice of deepak. May 02 20:07:13 node3.example.com systemd[1]: Started Session 6 of user deepak. May 02 20:07:13 node3.example.com systemd-logind[2775]: New session 6 of user deepak. May 02 20:07:13 node3.example.com sshd[4718]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
Allow SSH login only for a certain group
To allow SSH login only for users belonging to the group ‘ techteam ‘, add the following changes in your sshd_config
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to password based login for all users part of group 'techteam' Match Group techteam PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Here ‘ deepak ‘ is in my ‘ techteam ‘ group
[root@node2 ~]# ssh deepak@node3 deepak@node3's password: Last login: Thu May 2 20:56:07 2019 from 10.0.2.31
So now ‘ deepak ‘ is successfully able to SSH to node3
[root@node3 ~]# tail -f /var/log/messages May 02 21:12:44 node3.example.com sshd[5847]: Accepted password for deepak from 10.0.2.31 port 36370 ssh2 May 02 21:12:44 node3.example.com systemd[1]: Created slice User Slice of deepak. May 02 21:12:44 node3.example.com systemd[1]: Started Session 17 of user deepak. May 02 21:12:45 node3.example.com systemd-logind[2775]: New session 17 of user deepak. May 02 21:12:45 node3.example.com sshd[5847]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
I will log out ‘deepak’ user’s session
[deepak@node3 ~]$ logout Connection to node3 closed.
Next I will try SSH with another user ‘sharan’ which is not part of techteam
[root@node3 ~]# id sharan uid=1003(sharan) gid=1003(sharan) groups=1003(sharan) [root@node3 ~]# ssh sharan@node3 Permission denied (publickey).
As expected the SSH is denied with below message on node3
[root@node3 ~]# tail -f /var/log/messages May 02 22:47:00 node3.example.com sshd[6938]: Connection closed by 10.0.2.31 port 36396 [preauth]
Lastly I hope the steps from the article to restrict or allow SSH for certain users, groups and hosts in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
5 thoughts on “How to restrict or allow ssh only from certain users, groups or hosts in Linux”
Is there a way to have the restriction apply to a number of groups and few users.
I have a server that I want to allow only groupA, groupB, and userC, and userD. userC and userD are not members of the two groups above. Reply
yes, you can use the Match User for userC and userD and Match Group argument as explained in this article for groupA, groupB Reply
Very good site you have here but I was curious about if you knew of
any forums that cover the same topics talked about
here? I’d really love to be a part of online community where I can get comments from other experienced people
that share the same interest. If you have any suggestions, please let me know. Thank you! Reply
Please help with below scenario –
In /etc/ssh/sshd_config file, DenyGroups has “nologin” group. So the all the ID’s which are part of “nologin” group will not be able to access the server from source. But I need one specific ID(say “service1” ) which is part of nologin should be able to access from source Reply
I have not tried but I believe order in which the restriction is implemented matters so if you define your user service1 in AllowUsers before DenyGroups then it should work hopefully. Reply