Secure Shell (SSH) is a cryptographic network protocol for secure communication between two networked devices. It provides a secure, encrypted connection between devices, making it an essential tool for remote access and management of servers and devices.
When it comes to managing servers or devices, it is crucial to limit access only to authorized users. In this article, we will discuss how to allow a specific user to SSH to a device.
Understanding SSH Access Control
SSH access control involves granting or restricting access to a device or server. By default, most Linux distributions and Unix-based operating systems allow SSH access to all users with a valid account on the device or server. However, this could lead to security risks, as it provides an opportunity for malicious actors to gain unauthorized access to the device or server.
To prevent unauthorized access, it is essential to set up proper access control policies that define who can access a device or server and under what conditions. This includes limiting SSH access to specific users and disabling SSH access for all other users.
Creating a New User Account
The first step to allowing a specific user to SSH is to create a new user account. This can be done using the useradd
command on Linux and Unix-based operating systems. To create a new user account, log in to the device or server as the root user and run the following command:
useradd username
Replace username
with the desired username for the new user account. This will create a new user account with default settings. To set a password for the new user account, run the following command:
passwd username
You will be prompted to enter and confirm the password for the new user account. Once the password is set, the new user account is ready to use.
Granting SSH Access to a User
To allow a specific user to SSH to a device or server, you need to grant SSH access to the user account. This involves adding the user account to the list of authorized SSH users on the device or server.
The list of authorized SSH users is stored in the authorized_keys
file in the .ssh
directory of the user’s home directory. To add a user to the list of authorized SSH users, follow these steps:
- Log in to the device or server as the root user.
- Switch to the user account for which you want to grant SSH access.
- Create the
.ssh
directory in the user’s home directory using the following command:
mkdir ~/.ssh
- Create the
authorized_keys
file in the.ssh
directory using the following command:
touch ~/.ssh/authorized_keys
- Open the
authorized_keys
file using a text editor and paste the public SSH key for the user account into the file. - Save the changes and exit the text editor.
The public SSH key for the user account can be obtained by generating an SSH key pair on the user’s local machine and copying the public key to the device or server. To generate an SSH key pair, run the following command on the user’s local machine:
ssh-keygen
This will generate a public and private key pair in the user’s home directory. The public key can be found in the ~/.ssh/id_rsa.pub
file.
Disabling SSH Access for All Other Users
To improve the security of a device or server, it is recommended to disable SSH access for all other users except the authorized users. This can be achieved by modifying the SSH server configuration file.
The SSH server configuration file is usually located at /etc/ssh/sshd_config
on Linux and Unix-based operating systems. To modify the configuration file, log in to the device or server as the root user and open the configuration file in a text editor. Look for the line that reads #PermitRootLogin yes
and replace it with PermitRootLogin no
. This will disable SSH access for the root user.
Next, add the following lines to the configuration file to disable SSH access for all other users except the authorized users:
AllowUsers username
DenyUsers *
Replace username
with the username of the user account to which you have granted SSH access. The first line specifies that only the specified user can access the device or server via SSH, while the second line denies SSH access to all other users.
Testing SSH Access
Once you have granted SSH access to a specific user and disabled SSH access for all other users, it is essential to test SSH access to ensure that everything is working correctly.
To test SSH access, log out of the device or server and log in again using the authorized user account. Open a terminal or command prompt and enter the following command:
ssh username@hostname
Replace username
with the username of the authorized user account, and hostname
with the hostname or IP address of the device or server. If SSH access is working correctly, you will be prompted to enter the password for the authorized user account, and then you will be logged in to the device or server.
Conclusion
SSH access control is an essential aspect of device and server management, and allowing specific users to SSH is a crucial component of access control. By creating a new user account, granting SSH access to the user, and disabling SSH access for all other users, you can improve the security of your device or server.
In this article, we have discussed the steps involved in allowing a specific user to SSH, including creating a new user account, granting SSH access to the user, and disabling SSH access for all other users. We have also provided tips on testing SSH access to ensure that everything is working correctly.
Remember that securing your device or server requires ongoing vigilance, and it is essential to keep your SSH access control policies up to date to ensure that your device or server remains secure.
📕 Related articles about Linux
- How to show memory usage in Linux
- How to extract 7z file in Linux
- How to automatically run program on Linux startup
- How to create new user in Linux
- How to Allow Specific User to SSH
- How to Disable Password Authentication in SSH