This article demonstrates how to restrict SSH access to only specified users and/or groups. You can do the reverse by allowing all but a few users to SSH into the server but we’ll focus on allowing only those we specify.
Open the file “/etc/ssh/sshd_config” and look for (or create if it doesn’t exist) the line that follows (for example):
AllowUsers ben sam agix*
The users “ben”, “sam” and all users who’s usernames begin with “agix” (such as agix, agix2, agix3) will be permitted to log into this server.
You can do the same with groups using the “AllowGroups” option. Note that there are “DenyUsers” and “DenyGroups” options too. Use with “Allow” or “Deny” but not both.
Restart SSHd for the changes to take effect.
systemctl restart sshd
Important things to consider:
- Make sure you have another means to log into the server in the event that you lock yourself out. For example, if you forget to add your own username to the list of allowed users, you will have a hard time trying to get back in.
- If you permit the “root” user to login using the “PermitRootLogin” option but don’t list the “root” user in the “AllowUsers” list of users, the “root” user will not be allowed to login using SSH.
You can read more at “https://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html“.
