Skip to content

Restrict which users can log in over SSH

Severity: highApplies to: OpenSSH 8.x+Applies to: Debian / UbuntuApplies to: RHEL / Rocky / Alma
The fix/etc/ssh/sshd_config
Terminal window
AllowGroups sshusers

Create the group and put the accounts that need SSH into it:

Terminal window
sudo groupadd -f sshusers
sudo usermod -aG sshusers youruser

Then reload the daemon:

Terminal window
sudo systemctl reload ssh # Debian, Ubuntu
sudo systemctl reload sshd # RHEL, Rocky, Alma, Fedora

By default, every account on the host with a valid shell and credentials can log in over SSH. That includes accounts created by packages, accounts left behind by a departed colleague, and service accounts that were never meant to be interactive.

An allow-list inverts the default. Instead of remembering to lock down every account that shouldn’t have SSH, you name the few that should, and everything else is denied — including accounts that don’t exist yet.

AllowGroups is the one to reach for. It survives staff changes: adding or removing a person is a group membership change, not an sshd config edit and reload.

Use AllowUsers when you want per-host precision, and note it accepts a user@host pattern that restricts where a user may connect from:

Terminal window
AllowUsers deploy@10.0.0.0/8 youruser

OpenSSH checks the four rules in a fixed order, and the first match wins:

  1. DenyUsers
  2. AllowUsers
  3. DenyGroups
  4. AllowGroups

Two consequences worth knowing:

  • A deny always beats an allow, regardless of which line comes first in the file. Listing someone in both DenyUsers and AllowUsers denies them.
  • If AllowUsers is set at all, anyone not listed is denied — even if they are in a group named by AllowGroups. Setting both is the usual way people lock themselves out: AllowUsers deploy plus AllowGroups sshusers does not mean “either”, it means “only deploy”.

Pick one directive and use it alone unless you have a specific reason not to.