Allow or deny SSH logins per account using sshd configuration and related controls. 16.11.2025 | reading time: 3 min Controlling which accounts may log in over SSH is one of the quickest ways to reduce attack surface and enforce least-privilege access on servers. Hands-on: Allow a single user Create two test accounts and permit only one of them to authenticate via SSH with these commands and a simulated login test: ``` sudo useradd -m alice echo 'alice:Passw0rd' | sudo chpasswd sudo useradd -m bob echo 'bob:Passw0rd' | sudo chpasswd sudo sed -i '/^AllowUsers/ d' /etc/ssh/sshd_config echo 'AllowUsers alice' | sudo tee -a /etc/ssh/sshd_config sudo systemctl restart sshd ``` Then try SSH connections to see the effect: ``` $ ssh alice@server.example.com alice@server.example.com's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64) $ ssh bob@server.example.com Permission denied, please try again. Permission denied (publickey,password). ``` Other practical controls to combine Beyond a simple AllowUsers line, use `Match User` blocks to apply per-user options, `AllowGroups` to manage many users at once, or `DenyUsers` for explicit blocks; combine these with authorized_keys forced-commands, disabling password authentication for key-only users, and PAM access controls for centralized policies. When to use which method Use `AllowUsers` for a short whitelist, `AllowGroups` when you manage users via group membership, and `Match User` for fine-grained differences like restricting SFTP-only or setting a different `ForceCommand` for a particular account; prefer group-based rules where admins change membership more often than editing sshd_config. Operational notes and pitfalls Always test configuration changes on an active session before restarting the only SSH service, keep a root console or out-of-band access ready, and verify the logic when combining Allow/Deny lists because an explicit AllowUsers setting overrides open access and can lock out unexpected accounts. Relevant supporting tools Harden user-based SSH rules with attack-mitigation tools such as Fail2Ban, host-level firewalls like nftables, and PAM modules such as pam_access for centralized login control; log monitoring and key management complete the picture. Next steps Try converting a small set of system users to a restricted SSH-only group and observe the logs to build confidence; pursue structured learning to deepen this skill and consider exam tracks like CompTIA Linux+ or LPIC-1 with intensive preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security network utilities setup infrastructure
