Secure Shell (SSH) is a widely used protocol for securing remote access and managing devices and servers. As with any access control mechanism, limiting access only to authorized users is essential. In this article, we will discuss how to deny a specific user SSH access to a device or server.
Understanding SSH Access Control
SSH access control involves granting or restricting access to a device or server. By default, most Linux distributions and Unix-based operating systems allow SSH access to all users with a valid account on the device or server. However, this could lead to security risks, as it allows malicious actors to gain unauthorized access to the device or server.
To prevent unauthorized access, it is essential to set up proper access control policies that define who can access a device or server and under what conditions. This includes denying SSH access to specific users and disabling SSH access for all other users.
Identifying Users with SSH Access
Before we can deny SSH access to a specific user, we need to identify which users have SSH access to the device or server. To do this, log in to the device or server as the root user and run the following command:
grep ssh /etc/passwd
This will display a list of all users on the device or server that have SSH access. Identify the username of the user account for which you want to deny SSH access.
Denying SSH Access to a User
To deny SSH access to a specific user, we need to remove the user’s public SSH key from the list of authorized SSH keys on the device or server. The list of authorized SSH keys is stored in the authorized_keys
file in the .ssh
directory of the user’s home directory.
To remove a user’s public SSH key from the authorized_keys
file, follow these steps:
- Log in to the device or server as the root user.
- Switch to the user account for which you want to deny SSH access.
- Open the
authorized_keys
file using a text editor. - Remove the public SSH key for the user from the file.
- Save the changes and exit the text editor.
Alternatively, you can use the following command to remove the user’s public SSH key from the authorized_keys
file:
ssh-keygen -R username@hostname
Replace username
with the username of the user account, and hostname
with the hostname or IP address of the device or server.
Disabling SSH Access for All Other Users
To improve the security of a device or server, it is recommended to disable SSH access for all other users except the authorized users. This can be achieved by modifying the SSH server configuration file.
The SSH server configuration file is usually located at /etc/ssh/sshd_config
on Linux and Unix-based operating systems. To modify the configuration file, log in to the device or server as the root user and open the configuration file in a text editor. Look for the line that reads #PermitRootLogin yes
and replace it with PermitRootLogin no
. This will disable SSH access for the root user.
Next, add the following lines to the configuration file to disable SSH access for all other users except the authorized users:
AllowUsers username
DenyUsers *
Replace username
with the username of the user account to which you have granted SSH access. The first line specifies that only the specified user can access the device or server via SSH, while the second line denies SSH access to all other users.
Testing SSH Access
Once you have denied SSH access to a specific user and disabled SSH access for all other users, it is essential to test SSH access to ensure everything works correctly.
To test SSH access, log out of the device or server and try to log in again using the denied user’s account. If SSH access has been successfully denied, you should receive an error message indicating that access has been denied.
Conclusion
SSH access control is an essential aspect of device and server management, and denying specific users SSH access is a crucial component of access control. By identifying users with SSH access, removing the public SSH key for the user from the authorized_keys
file, and disabling SSH access for all other users, you can improve the security of your device or server.
In this article, we have discussed the steps involved in denying a specific user SSH access, including identifying users with SSH access, removing the user’s public SSH key from the authorized_keys
file, and disabling SSH access for all other users. We have also provided tips on testing SSH access to ensure that everything is working correctly.
Remember that securing your device or server requires ongoing vigilance, and keeping your SSH access control policies up to date is essential to ensure that your device or server remains secure.
Learn more
To learn more about SSH access control, check out these resources:
📕 Related articles about Linux
- What is X11Forwarding SSH
- How to Allow Specific User to SSH
- How to Generate SSH Key Pairs for Secure Remote Access
- How to Allow Public Access to SSH Tunnel
- How to show running processes in Linux
- How to Benchmark CPU Speed in Linux