How to allow or deny SSH server access to certain users and groups
It is always advisable to restrict the server access to those who really need them and use them regularly. The OpenSSH provides a configuration file “/etc/ssh/sshd_config“ in which one can specify user or group restrictions. The OpenSSH provides two types of directives to control access to users. They are “DenyUsers” and “AllowUsers”. As their names suggest they are exactly opposite to each other. Each of these directives should be followed by a list of user name patterns, separated by spaces. The syntax of these directives is as below:
DenyUsers PATTERNS AllowUsers PATTERNS
Similarly for controlling the access to specific user groups, OpenSSH provides following options.
DenyGroups PATTERNS AllowGroups PATTERNS
The PATTERNS filed is a list of patterns separated by spaces. Each pattern can be a user name in case of “AllowUsers” and “DenyUsers” directives. In case of “AllowGroups” and “DenyGroups”, each pattern can be group name. Note that you can’t use UID and GID in place of user namd and group name.
The OpenSSH used following order of evaluation to determine access permissions for a user.
DenyUsers AllowUsers DenyGroups AllowGrpups
Placing the following line in sshd_config file denies users neo, liz and mark from logging in using SSH.
DenyUsers neo liz mark
Some more examples:
DenyUsers liz mark AllowUsers neo DenyGroups Finance Sales AllowGroups Developers Quality
The following example denies user neo from logging in from a specific IP address 172.16.5.30. Note that similar pattern can be specified with other directives “AllowUsers”, “DenyGroups” and “AllowGroups” as well.
To deny user neo from logging in from a specific host “neo.techpulp.com“.
In addition to plain user names and group names, a pattern can contain wild cards.
To deny user neo from logging in from a specific domain “techpulp.com“. The wild card “*” is used in this example.
To deny user neo from logging in from a any IP address that start with “172.16.5.“.The wild card “*” is used in this example.
To deny user neo from logging in from a any IP address that start with “172.16.2.“.The wild card “?” is used in this example. This effectively denies user neo from logging in from IP address range 172.16.5.20 to 172.16.5.29. i.e OpenSSH places 0-9 in place of “?” wildcard before matching the pattern.
More complex example:
You can also use “*” in place of user name or group name to apply to all users or groups. The following example denies all users from logging in from the IP address 172.16.5.20.