How to configure SSH to permit root login only from specific host or IP address? How to configure SSH to permit login only for certain users and/or groups? How to restrict password based logins only to certain users and/or hosts? How to restrict SSH for login via certain users only? How to allow SSH for login via root from certain hosts only?

 

Restrict SSH login via root for specific host

Here I will show you the steps to restrict ssh for ‘root‘ user but only from node2 (10.0.2.31) and ssh as root from all other hosts would be allowed on node3.

Open your sshd_config file for editing

[[email protected] ~]# vim /etc/ssh/sshd_config
# Turn this option to 'yes' to allow public root login
PermitRootLogin yes

# Add below content to restrict root login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PermitRootLogin no

Next exit the editor and restart your sshd services

[[email protected] ~]# systemctl restart sshd

Now from ‘node2 (10.0.2.31)‘ I will try to ssh to node3 and as expected it fails

[[email protected] ~]# ssh node3
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:

If we check the syslog on node3, we will get more information for the cause of ssh failure.

[[email protected] ~]# tail -f /var/log/messages
May 01 23:00:09 node3.example.com unix_chkpwd[14005]: password check failed for user (root)
May 01 23:00:09 node3.example.com sshd[14003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.31  user=root
May 01 23:00:09 node3.example.com sshd[14003]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 01 23:00:11 node3.example.com sshd[14003]: Failed password for root from 10.0.2.31 port 41534 ssh2

 

Allow SSH login using passwords only from specific hosts

To allow SSH login using passwords only from specific hosts, for eg, when enforcing strict SSH host key based login for all users, while making an exception for specific hosts:

[[email protected] ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to allow password based login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[[email protected] ~]# systemctl restart sshd

Now try to do SSH from any other host (other than node2) and observe the result

[[email protected] ~]# tail -f /var/log/messages
May 02 19:51:34 node3.example.com sshd[4482]: error: Received disconnect from 10.0.2.2 port 52068:14: No supported authentication methods available [preauth]
May 02 19:51:34 node3.example.com sshd[4482]: Disconnected from 10.0.2.2 port 52068 [preauth]

As expected the SSH is not allowed

Now try SSH from node2

[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu May  2 19:48:16 2019 from 10.0.2.2
[[email protected] ~]#

So, we were successfully able to SSH to our node3 from node2

Observe the messages in syslog on node3

[[email protected] ~]# tail -f /var/log/messages
May 02 19:54:01 node3.example.com sshd[4510]: Accepted password for root from 10.0.2.31 port 36304 ssh2
May 02 19:54:01 node3.example.com systemd[1]: Started Session 3 of user root.
May 02 19:54:01 node3.example.com sshd[4510]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 02 19:54:01 node3.example.com systemd-logind[2775]: New session 3 of user root.
May 02 19:54:02 node3.example.com dbus[2764]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 02 19:54:02 node3.example.com dbus[2764]: [system] Successfully activated service 'org.freedesktop.problems'

 

Allow SSH from certain users, host and subnet

To allow SSH login only for user deepak from all hosts in the subnet 10.0.2.*, make the following changes in your sshd_config file

[[email protected] ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to allow password based login from subnet 10.0.2.*
Match User deepak Address 10.0.2.*
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[[email protected] ~]# systemctl restart sshd

Next try to ssh as any other user from node2 to node3, and as expected the SSH is denied

[[email protected] ~]# ssh [email protected]
Permission denied (publickey).

Check the syslog for cause of rejection on node3

May 02 20:06:31 node3.example.com sshd[4716]: Connection closed by 10.0.2.31 port 36312 [preauth]

Now try to do SSH as user ‘deepak‘ from node2

[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Last login: Mon Feb 25 20:56:05 2019
[[email protected] ~]$

As expected it worked.

Observe the messages in syslog on node3.

[[email protected] ~]# tail -f /var/log/messages
May 02 20:07:12 node3.example.com sshd[4718]: Accepted password for deepak from 10.0.2.31 port 36314 ssh2
May 02 20:07:13 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 20:07:13 node3.example.com systemd[1]: Started Session 6 of user deepak.
May 02 20:07:13 node3.example.com systemd-logind[2775]: New session 6 of user deepak.
May 02 20:07:13 node3.example.com sshd[4718]: pam_unix(sshd:session): session opened for user deepak by (uid=0)

 

Allow SSH login only for a certain group

To allow SSH login only for users belonging to the group ‘techteam‘, add the following changes in your sshd_config

[[email protected] ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to password based login for all users part of group 'techteam'
Match Group techteam
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[[email protected] ~]# systemctl restart sshd

Here ‘deepak‘ is in my ‘techteam‘ group

[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu May  2 20:56:07 2019 from 10.0.2.31

So now ‘deepak‘ is successfully able to SSH to node3

[[email protected] ~]# tail -f /var/log/messages
May 02 21:12:44 node3.example.com sshd[5847]: Accepted password for deepak from 10.0.2.31 port 36370 ssh2
May 02 21:12:44 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 21:12:44 node3.example.com systemd[1]: Started Session 17 of user deepak.
May 02 21:12:45 node3.example.com systemd-logind[2775]: New session 17 of user deepak.
May 02 21:12:45 node3.example.com sshd[5847]: pam_unix(sshd:session): session opened for user deepak by (uid=0)

I will log out ‘deepak’ user’s session

[[email protected] ~]$ logout
Connection to node3 closed.

Next I will try SSH with another user ‘sharan’ which is not part of techteam

[[email protected] ~]# id sharan
uid=1003(sharan) gid=1003(sharan) groups=1003(sharan)

[[email protected] ~]# ssh [email protected]
Permission denied (publickey).

As expected the SSH is denied with below message on node3

[[email protected] ~]# tail -f /var/log/messages
May 02 22:47:00 node3.example.com sshd[6938]: Connection closed by 10.0.2.31 port 36396 [preauth]

 

Lastly I hope the steps from the article to restrict or allow SSH for certain users, groups and hosts in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *