Today to me one of my blog readers with the question: “How can restrict individual users SSH access?”. The author of the question read my notes about setting up server components for Linux and have found information on the forced ban users to connect via SSH. Let me remind you, by default, each user has the ability to connect to the server via SSH. The need for such opportunities need not always (still, it’s an extra door for a hacker), therefore meaning to disable SSH access is.
As you do not need to disable SSH access
On various forums dedicated to administering unix-like systems, some system administrators recommend just change the user shell to nonexistent. By default, as each user installs bash shell. To change it you need to execute the command:
usermod-s/bin/false <user>
Usermod command “s” key will change the user shell to/bin/false. Ssh access it immediately lose, but along with it will lose the ability to connect to the server via FTP. For example, if applied to a user and try to connect to the assigned vsftpd, nothing happens. After authentication, the server will drop the connection. So what I recommend not rush to follow such a “helpful“ advice. In addition, restrict access by SSH can be “legal“ way.
How to properly prevent access via SSH in Debian
I stick to the maximum flexibility when entering constraints. One set of users to access SSH need, others do not. To make it easier to steer this process, I usually create group no-ssh. All who it includes will be denied access to SSH. Let me remind you, create a group:
Groupadd no-ssh
Then add the users who SSH access is not needed. For example:.
usermod-G no-ssh username
Well, the user username is added to a np-ssh. Now let’s make adjustments in configuration file ssh daemon. Open the configuration file:
Nano/etc/ssh/sshd_config
Move to the end of the file and add one line:
DenyGroups no-ssh
Save the changes (ctrl + o) and close the file (ctrl + x). One simple line, we have established a ban on connecting users, members of the group no-ssh. For the changes to take effect, restart SSH:
/etc/init.d/ssh restart
All, now the user username to access SSH decided once and for all.