Skip to main content

Access to the server via ssh only for a specific group

SSH allows you to restrict access to the server only to users in a certain group. Without being its members, other users will not be able to log in to the server via ssh. This is a convenient opportunity to issue access rights only to those users who really need it.

At the beginning, you need to create a group whose members will be authorized to work with ssh. Such a group GID is indicated in order not to spoil the equality of UID / GID for new users created in the system.

  # addgroup --gid 9999 whocanusessh 

Then in the configuration file / etc / ssh / sshd_config we set the parameter.

  AllowGroups whocanusessh 

After that, we necessarily add root to this group:

  # adduser root whocanusessh 

If this is not done, then root will not be able to access the server using this protocol.

Finally, restart ssh with the service ssh restart command.

How it works. For example, to edit files via sftp, you need to grant access to the webmaster user. We add it to the group, similar to adding root. Perform the necessary operations.

When work is finished, simply remove the user from the group.

  # deluser webmaster whocanusessh 

Attempts to authenticate users who are not in the selected group will be rejected by the server.

PS Of course, it would be possible to specify each user separately in the ssh configuration file, but this would take much longer than adding a user to a group, or deleting from it. :)

How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 (No ratings yet)

Add a comment

Your email will not be published.