SSH allows you to restrict access to the server only to users in a certain group. Without being its members, other users will not be able to log in to the server via ssh. This is a convenient opportunity to issue access rights only to those users who really need it.
At the beginning, you need to create a group whose members will be authorized to work with ssh. Such a group GID is indicated in order not to spoil the equality of UID / GID for new users created in the system.
# addgroup --gid 9999 whocanusessh
Then in the configuration file / etc / ssh / sshd_config we set the parameter.
After that, we necessarily add root to this group:
# adduser root whocanusessh
If this is not done, then root will not be able to access the server using this protocol.
Finally, restart ssh with the service ssh restart command.
How it works. For example, to edit example.com files via sftp, you need to grant access to the webmaster user. We add it to the group, similar to adding root. Perform the necessary operations.
When work is finished, simply remove the user from the group.
# deluser webmaster whocanusessh
Attempts to authenticate users who are not in the selected group will be rejected by the server.
PS Of course, it would be possible to specify each user separately in the ssh configuration file, but this would take much longer than adding a user to a group, or deleting from it. :)