Restricting Access to SSH Connections
SSH is a secure, encrypted replacement for common login services like, telnet, rlogin and rsh.
The most commonly used restriction on most servers is to not to allow root to log in using SSH.
PermitRootLogin no
Deny & Allow directives
The most under utilised feature of SSH is the ability to restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups parameters in the SSH configuration. For example:
DenyUsers brian david AllowUsers adam carol DenyGroups accounts sales AllowGroups ops admin
NOTE: The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
Using wildcards
As well as individual user and group entries being explicitly entered, we can also use pattern matching (wildcards) to specify multiple users and groups.
A pattern consists of zero or more non-whitespace characters, * (a wildcard that matches zero or more characters), or ? (a wildcard that matches exactly one character).
For example: To prevent logins who names begin with a from accessing the system, or to permit all groups ending in admin we could specify:
DenyUsers a* AllowGroups ??admin
Note: Remember the processing order for the allow/deny directives
Parameter definitions
From the sshd_config(5) man page:
| Parameter | Description |
|---|---|
| DenyUsers | This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. |
| AllowUsers | This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognised. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. |
| DenyGroups | This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. |
| AllowGroups | This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. |