Block All Users But One From SSH Access

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Block All Users But One From SSH Access was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, ssh, , , .

I can currently login to my server via ssh as root. There may be some other users, however, that have ssh access. I want to block out any possible logins except from root. How can I do this?

Thanks.

So you can achieve your stated desire with the AllowUsers directive in your sshd_config file, for example:

$ grep AllowUsers /etc/ssh/sshd_config
AllowUsers root

However I would be wary of using the root account for ssh – consider instead an unprivileged account for normal use, using something like sudo to acquire root privileges only when needed.

From man sshd_config

 AllowUsers
         This keyword can be followed by a list of user name patterns, separated
         by spaces.  If specified, login is allowed only for user names that match
         one of the patterns.  Only user names are valid; a numerical user ID is
         not recognized.  By default, login is allowed for all users.  If the pat‐
         tern takes the form USER@HOST then USER and HOST are separately checked,
         restricting logins to particular users from particular hosts.  The
         allow/deny directives are processed in the following order: DenyUsers,
         AllowUsers, DenyGroups, and finally AllowGroups.

         See PATTERNS in ssh_config(5) for more information on patterns.

Btw. please don’t allow passwords login for your root user. Only allow ssh keys or even better just allow a specific user to login and change to root but not root directly.

I lockout all users except root when I need to do maintenance on my Linux hosts. Just remove the file when you’re done.

echo "System maintenance in progress" > /run/nologin

Leave a Reply

Your email address will not be published.