Restricting Access to SSH Connections

SSH is a secure, encrypted replacement for common login services like, telnet, rlogin and rsh.

The most commonly used restriction on most servers is to not to allow root to log in using SSH.

PermitRootLogin no

Deny & Allow directives

The most under utilised feature of SSH is the ability to restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups parameters in the SSH configuration. For example:

DenyUsers brian david
AllowUsers adam carol
DenyGroups accounts sales
AllowGroups ops admin

NOTE: The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

Using wildcards

As well as individual user and group entries being explicitly entered, we can also use pattern matching (wildcards) to specify multiple users and groups.

A pattern consists of zero or more non-whitespace characters, * (a wildcard that matches zero or more characters), or ? (a wildcard that matches exactly one character).

For example: To prevent logins who names begin with a from accessing the system, or to permit all groups ending in admin we could specify:

DenyUsers a*
AllowGroups ??admin

Note: Remember the processing order for the allow/deny directives

Parameter definitions

From the sshd_config(5) man page:

ParameterDescription
DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognised. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.
AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.