How to configure SSH to permit root login only from specific host or IP address? How to configure SSH to permit login only for certain users and/or groups? How to restrict password based logins only to certain users and/or hosts? How to restrict SSH for login via certain users only? How to allow SSH for login via root from certain hosts only?

How to restrict or allow ssh only from certain users, groups or hosts in Linux

Restrict SSH login via root for specific host

Here I will show you the steps to restrict ssh for ‘root‘ user but only from node2 (10.0.2.31) and ssh as root from all other hosts would be allowed on node3.

Open your sshd_config file for editing

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'yes' to allow public root login
PermitRootLogin yes

# Add below content to restrict root login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PermitRootLogin no

Next exit the editor and restart your sshd services

[root@node3 ~]# systemctl restart sshd

Now from ‘node2 (10.0.2.31)‘ I will try to ssh to node3 and as expected it fails

[root@node2 ~]# ssh node3
root@node3's password:
Permission denied, please try again.
root@node3's password:

If we check the syslog on node3, we will get more information for the cause of ssh failure.

[root@node3 ~]# tail -f /var/log/messages
May 01 23:00:09 node3.example.com unix_chkpwd[14005]: password check failed for user (root)
May 01 23:00:09 node3.example.com sshd[14003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.31  user=root
May 01 23:00:09 node3.example.com sshd[14003]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 01 23:00:11 node3.example.com sshd[14003]: Failed password for root from 10.0.2.31 port 41534 ssh2

 

Allow SSH login using passwords only from specific hosts

To allow SSH login using passwords only from specific hosts, for eg, when enforcing strict SSH host key based login for all users, while making an exception for specific hosts:

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to allow password based login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[root@node3 ~]# systemctl restart sshd

Now try to do SSH from any other host (other than node2) and observe the result

[root@node3 ~]# tail -f /var/log/messages
May 02 19:51:34 node3.example.com sshd[4482]: error: Received disconnect from 10.0.2.2 port 52068:14: No supported authentication methods available [preauth]
May 02 19:51:34 node3.example.com sshd[4482]: Disconnected from 10.0.2.2 port 52068 [preauth]

As expected the SSH is not allowed

Now try SSH from node2

[root@node2 ~]# ssh root@node3
root@node3's password:
Last login: Thu May  2 19:48:16 2019 from 10.0.2.2
[root@node3 ~]#

So, we were successfully able to SSH to our node3 from node2

Observe the messages in syslog on node3

[root@node3 ~]# tail -f /var/log/messages
May 02 19:54:01 node3.example.com sshd[4510]: Accepted password for root from 10.0.2.31 port 36304 ssh2
May 02 19:54:01 node3.example.com systemd[1]: Started Session 3 of user root.
May 02 19:54:01 node3.example.com sshd[4510]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 02 19:54:01 node3.example.com systemd-logind[2775]: New session 3 of user root.
May 02 19:54:02 node3.example.com dbus[2764]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 02 19:54:02 node3.example.com dbus[2764]: [system] Successfully activated service 'org.freedesktop.problems'

 

Allow SSH from certain users, host and subnet

To allow SSH login only for user deepak from all hosts in the subnet 10.0.2.*, make the following changes in your sshd_config file

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to allow password based login from subnet 10.0.2.*
Match User deepak Address 10.0.2.*
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[root@node3 ~]# systemctl restart sshd

Next try to ssh as any other user from node2 to node3, and as expected the SSH is denied

[root@node2 ~]# ssh root@node3
Permission denied (publickey).

Check the syslog for cause of rejection on node3

May 02 20:06:31 node3.example.com sshd[4716]: Connection closed by 10.0.2.31 port 36312 [preauth]

Now try to do SSH as user ‘deepak‘ from node2

[root@node2 ~]# ssh deepak@node3
deepak@node3's password:
Last login: Mon Feb 25 20:56:05 2019
[deepak@node3 ~]$

As expected it worked.

Observe the messages in syslog on node3.

[root@node3 ~]# tail -f /var/log/messages
May 02 20:07:12 node3.example.com sshd[4718]: Accepted password for deepak from 10.0.2.31 port 36314 ssh2
May 02 20:07:13 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 20:07:13 node3.example.com systemd[1]: Started Session 6 of user deepak.
May 02 20:07:13 node3.example.com systemd-logind[2775]: New session 6 of user deepak.
May 02 20:07:13 node3.example.com sshd[4718]: pam_unix(sshd:session): session opened for user deepak by (uid=0)

 

Allow SSH login only for a certain group

To allow SSH login only for users belonging to the group ‘techteam‘, add the following changes in your sshd_config

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no

# Add below content to password based login for all users part of group 'techteam'
Match Group techteam
        PasswordAuthentication yes

Restart the sshd services for the changes to take affect

[root@node3 ~]# systemctl restart sshd

Here ‘deepak‘ is in my ‘techteam‘ group

[root@node2 ~]# ssh deepak@node3
deepak@node3's password:
Last login: Thu May  2 20:56:07 2019 from 10.0.2.31

So now ‘deepak‘ is successfully able to SSH to node3

[root@node3 ~]# tail -f /var/log/messages
May 02 21:12:44 node3.example.com sshd[5847]: Accepted password for deepak from 10.0.2.31 port 36370 ssh2
May 02 21:12:44 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 21:12:44 node3.example.com systemd[1]: Started Session 17 of user deepak.
May 02 21:12:45 node3.example.com systemd-logind[2775]: New session 17 of user deepak.
May 02 21:12:45 node3.example.com sshd[5847]: pam_unix(sshd:session): session opened for user deepak by (uid=0)

I will log out ‘deepak’ user’s session

[deepak@node3 ~]$ logout
Connection to node3 closed.

Next I will try SSH with another user ‘sharan’ which is not part of techteam

[root@node3 ~]# id sharan
uid=1003(sharan) gid=1003(sharan) groups=1003(sharan)

[root@node3 ~]# ssh sharan@node3
Permission denied (publickey).

As expected the SSH is denied with below message on node3

[root@node3 ~]# tail -f /var/log/messages
May 02 22:47:00 node3.example.com sshd[6938]: Connection closed by 10.0.2.31 port 36396 [preauth]

 

Lastly I hope the steps from the article to restrict or allow SSH for certain users, groups and hosts in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *