How to configure SSH to permit root login only from specific host or IP address? How to configure SSH to permit login only for certain users and/or groups? How to restrict password based logins only to certain users and/or hosts? How to restrict SSH for login via certain users only? How to allow SSH for login via root from certain hosts only?
Restrict SSH login via root for specific host
Here I will show you the steps to restrict ssh for 'root' user but only from node2 (10.0.2.31) and ssh as root from all other hosts would be allowed on node3. In my previous article I shared the commands to check and list active ssh connections with examples.
Open your sshd_config file for editing
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'yes' to allow public root login PermitRootLogin yes # Add below content to restrict root login from node2 (10.0.2.31) Match Address 10.0.2.31 PermitRootLogin no
Next exit the editor and restart your sshd services
[root@node3 ~]# systemctl restart sshd
Now from 'node2 (10.0.2.31)' I will try to ssh to node3 and as expected it fails
[root@node2 ~]# ssh node3
root@node3's password:
Permission denied, please try again.
root@node3's password:
If we check the syslog on node3, we will get more information for the cause of ssh failure.
[root@node3 ~]# tail -f /var/log/messages
May 01 23:00:09 node3.example.com unix_chkpwd[14005]: password check failed for user (root)
May 01 23:00:09 node3.example.com sshd[14003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.31 user=root
May 01 23:00:09 node3.example.com sshd[14003]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 01 23:00:11 node3.example.com sshd[14003]: Failed password for root from 10.0.2.31 port 41534 ssh2
Allow SSH login using passwords only from specific hosts
To allow SSH login using passwords only from specific hosts, for eg, when enforcing strict SSH host key based login for all users, while making an exception for specific hosts:
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to allow password based login from node2 (10.0.2.31) Match Address 10.0.2.31 PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Now try to do SSH from any other host (other than node2) and observe the result
[root@node3 ~]# tail -f /var/log/messages
May 02 19:51:34 node3.example.com sshd[4482]: error: Received disconnect from 10.0.2.2 port 52068:14: No supported authentication methods available [preauth]
May 02 19:51:34 node3.example.com sshd[4482]: Disconnected from 10.0.2.2 port 52068 [preauth]
As expected the SSH is not allowed
Now try SSH from node2
[root@node2 ~]# ssh root@node3 root@node3's password: Last login: Thu May 2 19:48:16 2019 from 10.0.2.2 [root@node3 ~]#
So, we were successfully able to SSH to our node3 from node2
Observe the messages in syslog on node3
[root@node3 ~]# tail -f /var/log/messages
May 02 19:54:01 node3.example.com sshd[4510]: Accepted password for root from 10.0.2.31 port 36304 ssh2
May 02 19:54:01 node3.example.com systemd[1]: Started Session 3 of user root.
May 02 19:54:01 node3.example.com sshd[4510]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 02 19:54:01 node3.example.com systemd-logind[2775]: New session 3 of user root.
May 02 19:54:02 node3.example.com dbus[2764]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 02 19:54:02 node3.example.com dbus[2764]: [system] Successfully activated service 'org.freedesktop.problems'
Allow SSH from certain users, host and subnet
To allow SSH login only for user deepak from all hosts in the subnet 10.0.2.*, make the following changes in your sshd_config file
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to allow password based login from subnet 10.0.2.* Match User deepak Address 10.0.2.* PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Next try to ssh as any other user from node2 to node3, and as expected the SSH is denied
[root@node2 ~]# ssh root@node3
Permission denied (publickey).
Check the syslog for cause of rejection on node3
May 02 20:06:31 node3.example.com sshd[4716]: Connection closed by 10.0.2.31 port 36312 [preauth]
Now try to do SSH as user 'deepak' from node2
[root@node2 ~]# ssh deepak@node3
deepak@node3's password:
Last login: Mon Feb 25 20:56:05 2019
[deepak@node3 ~]$
As expected it worked.
Observe the messages in syslog on node3.
[root@node3 ~]# tail -f /var/log/messages
May 02 20:07:12 node3.example.com sshd[4718]: Accepted password for deepak from 10.0.2.31 port 36314 ssh2
May 02 20:07:13 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 20:07:13 node3.example.com systemd[1]: Started Session 6 of user deepak.
May 02 20:07:13 node3.example.com systemd-logind[2775]: New session 6 of user deepak.
May 02 20:07:13 node3.example.com sshd[4718]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
Allow SSH login only for a certain group
To allow SSH login only for users belonging to the group 'techteam', add the following changes in your sshd_config
[root@node3 ~]# vim /etc/ssh/sshd_config # Turn this option to 'no' to deny password based login for public PasswordAuthentication no # Add below content to password based login for all users part of group 'techteam' Match Group techteam PasswordAuthentication yes
Restart the sshd services for the changes to take affect
[root@node3 ~]# systemctl restart sshd
Here 'deepak' is in my 'techteam' group
[root@node2 ~]# ssh deepak@node3 deepak@node3's password: Last login: Thu May 2 20:56:07 2019 from 10.0.2.31
So now 'deepak' is successfully able to SSH to node3
[root@node3 ~]# tail -f /var/log/messages
May 02 21:12:44 node3.example.com sshd[5847]: Accepted password for deepak from 10.0.2.31 port 36370 ssh2
May 02 21:12:44 node3.example.com systemd[1]: Created slice User Slice of deepak.
May 02 21:12:44 node3.example.com systemd[1]: Started Session 17 of user deepak.
May 02 21:12:45 node3.example.com systemd-logind[2775]: New session 17 of user deepak.
May 02 21:12:45 node3.example.com sshd[5847]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
I will log out 'deepak' user's session
[deepak@node3 ~]$ logout Connection to node3 closed.
Next I will try SSH with another user 'sharan' which is not part of techteam
[root@node3 ~]# id sharan
uid=1003(sharan) gid=1003(sharan) groups=1003(sharan)
[root@node3 ~]# ssh sharan@node3
Permission denied (publickey).
As expected the SSH is denied with below message on node3
[root@node3 ~]# tail -f /var/log/messages
May 02 22:47:00 node3.example.com sshd[6938]: Connection closed by 10.0.2.31 port 36396 [preauth]
Lastly I hope the steps from the article to restrict or allow SSH for certain users, groups and hosts in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Please help with below scenario –
In /etc/ssh/sshd_config file, DenyGroups has “nologin” group. So the all the ID’s which are part of “nologin” group will not be able to access the server from source. But I need one specific ID(say “service1” ) which is part of nologin should be able to access from source
I have not tried but I believe order in which the restriction is implemented matters so if you define your user service1 in AllowUsers before DenyGroups then it should work hopefully.
Very good site you have here but I was curious about if you knew of
any forums that cover the same topics talked about
here? I’d really love to be a part of online community where I can get comments from other experienced people
that share the same interest. If you have any suggestions, please let me know.
Thank you!
Is there a way to have the restriction apply to a number of groups and few users.
I have a server that I want to allow only groupA, groupB, and userC, and userD.
userC and userD are not members of the two groups above.
yes, you can use the Match User for userC and userD and Match Group argument as explained in this article for groupA, groupB