How to allow or deny SSH server access to certain users and groups
It is always advisable to restrict the server access to those who really need them and use them regularly. The OpenSSH provides a configuration file “/etc/ssh/sshd_config“ in which one can specify user or group restrictions. The OpenSSH provides two types of directives to control access to users. They are “DenyUsers” and “AllowUsers”. As their names suggest they are exactly opposite to each other. Each of these directives should be followed by a list of user name patterns, separated by spaces. The syntax of these directives is as below:
DenyUsers PATTERNS AllowUsers PATTERNS
Similarly for controlling the access to specific user groups, OpenSSH provides following options.
DenyGroups PATTERNS AllowGroups PATTERNS
The PATTERNS filed is a list of patterns separated by spaces. Each pattern can be a user name in case of “AllowUsers” and “DenyUsers” directives. In case of “AllowGroups” and “DenyGroups”, each pattern can be group name. Note that you can’t use UID and GID in place of user namd and group name.
The OpenSSH used following order of evaluation to determine access permissions for a user.
DenyUsers AllowUsers DenyGroups AllowGrpups
Placing the following line in sshd_config file denies users neo, liz and mark from logging in using SSH.
DenyUsers neo liz mark
Some more examples:
DenyUsers liz mark AllowUsers neo DenyGroups Finance Sales AllowGroups Developers Quality
The following example denies user neo from logging in from a specific IP address 172.16.5.30. Note that similar pattern can be specified with other directives “AllowUsers”, “DenyGroups” and “AllowGroups” as well.
DenyUsers neo@172.16.5.30
To deny user neo from logging in from a specific host “neo.techpulp.com“.
DenyUsers neo@neo.techpulp.com
In addition to plain user names and group names, a pattern can contain wild cards.
To deny user neo from logging in from a specific domain “techpulp.com“. The wild card “*” is used in this example.
DenyUsers neo@*.techpulp.com
To deny user neo from logging in from a any IP address that start with “172.16.5.“.The wild card “*” is used in this example.
DenyUsers neo@172.16.5.*
To deny user neo from logging in from a any IP address that start with “172.16.2.“.The wild card “?” is used in this example. This effectively denies user neo from logging in from IP address range 172.16.5.20 to 172.16.5.29. i.e OpenSSH places 0-9 in place of “?” wildcard before matching the pattern.
DenyUsers neo@172.16.5.2?
More complex example:
DenyUsers neo@172.16.*.2?
You can also use “*” in place of user name or group name to apply to all users or groups. The following example denies all users from logging in from the IP address 172.16.5.20.
DenyUsers *@172.16.5.20
about 4 months ago
First I couldn’t fuigre out why my connection died as soon as I logged out the local GUI user Then I realized it was because the wifi got disconnected.wicd is a good alternative to the default Gnome network-manager. It auto-connects to the preferred wifi network even before a GUI user has logged on. Which was a good thing in my case.