Restrict which users can log in over SSH
/etc/ssh/sshd_configAllowGroups sshusersCreate the group and put the accounts that need SSH into it:
sudo groupadd -f sshuserssudo usermod -aG sshusers youruserThen reload the daemon:
sudo systemctl reload ssh # Debian, Ubuntusudo systemctl reload sshd # RHEL, Rocky, Alma, FedoraWhy it matters
Section titled “Why it matters”By default, every account on the host with a valid shell and credentials can log in over SSH. That includes accounts created by packages, accounts left behind by a departed colleague, and service accounts that were never meant to be interactive.
An allow-list inverts the default. Instead of remembering to lock down every account that shouldn’t have SSH, you name the few that should, and everything else is denied — including accounts that don’t exist yet.
Which directive to use
Section titled “Which directive to use”AllowGroups is the one to reach for. It survives staff changes: adding or
removing a person is a group membership change, not an sshd config edit and
reload.
Use AllowUsers when you want per-host precision, and note it accepts a
user@host pattern that restricts where a user may connect from:
AllowUsers deploy@10.0.0.0/8 youruserThe evaluation order catches people out
Section titled “The evaluation order catches people out”OpenSSH checks the four rules in a fixed order, and the first match wins:
DenyUsersAllowUsersDenyGroupsAllowGroups
Two consequences worth knowing:
- A deny always beats an allow, regardless of which line comes first in the
file. Listing someone in both
DenyUsersandAllowUsersdenies them. - If
AllowUsersis set at all, anyone not listed is denied — even if they are in a group named byAllowGroups. Setting both is the usual way people lock themselves out:AllowUsers deployplusAllowGroups sshusersdoes not mean “either”, it means “only deploy”.
Pick one directive and use it alone unless you have a specific reason not to.
Related
Section titled “Related”- Require key-only SSH authentication — restrict who can try, then restrict how.
- Disable root login over SSH — the one account worth denying by name.