In another article How to make ssh server more securier. It discussed different ways to make ssh server more securier, In this article, I'll just focus on how to deny or restrict ssh login to particular users and groups

Here is how.

Beside other OS layer access control, OpenSSH has two directives for allowing and denying ssh user access. It's in sshd_config file. You can use the following config for restricting which users can log in to your Linux or Unix or BSD bases server.

Default is to allow everyone.

Restricting which users can ssh log in

Specifically deny some users

Use DenyUsers to block user login.

DenyUsers user1 user2 user3

Note: You can use wild cards or This email address is being protected from spambots. You need JavaScript enabled to view it. pattern.

So, for example, if you want to deny user test and fibrevillage

Append the following line to /etc/ssh/sshd_config

DenyUsers test fibrevillage

Specifically Allow some users

Similarily, you can also specify some users in allowusers list, users no the allowusers list will be denied.

Append this line to /etc/ssh/sshd_config

AllowUsers fibrevillage

So, users other than fibrevillage will be denied to ssh to this host.

Restricting which groups can ssh log in

Specifically deny some groups

Use DenyGroups to block group login.

DenyGroups groups1 groups2 groups3

Note: If user is part of primary of supplementary group login access is denied. You can use wildcards. Please note that you cannot use a numeric group or username ID. If these directives are not used,

So, for example, if you want to deny groupA and groupB

Append the following line to /etc/ssh/sshd_config

DenyGroups groupA groupB

Specifically Allow some groups
Similarily, you can also specify some users in Allowgroup list, users no the allowusers list will be denied.

Append this line to /etc/ssh/sshd_config

AllowGroups fibrevillage

So, members of group1 and group2 users are only allowed to log in into the server. Users on in these two groups will be denied to ssh to this host.

Restricting root user

For security reason you should always block access to root user and group on a Linux or Unix-like systems. First, make sure at least one user is allowed to use ‘su -‘ or ‘sudo’ command on the server. Open the /etc/ssh/sshd_config file, append following names (directives):

DenyUsers root
DenyGroups root

Also make sure following set in sshd_config:

PermitRootLogin no

Restart sshd services

In all above cases, you will need to restart the sshd services to enable the changes.

On RHEL6

service restart sshd

on RHEL7/CentOS7

systemctl restart sshd

.