Keywords: SSH access control | AllowUsers directive | Linux security configuration
Abstract: This article provides an in-depth exploration of methods to restrict user login via SSH in Linux systems. Focusing primarily on the AllowUsers directive in the sshd_config file, it details how to precisely control the list of users permitted to access the system through SSH. The article also supplements with security enhancements such as public key authentication and port modification, offering system administrators a comprehensive SSH access control solution. Through practical configuration examples and security analysis, it helps readers effectively defend against brute-force attacks and simplify user management.
Core Mechanisms of SSH Access Control
In Linux systems, SSH (Secure Shell) is the standard protocol for remote server management, but its default configuration may allow excessive user access, increasing security risks. When system administrators detect external brute-force attempts, one of the primary tasks is to precisely control which users can log in via SSH.
The AllowUsers Directive in /etc/ssh/sshd_config
The SSH server configuration file /etc/ssh/sshd_config provides the AllowUsers directive, which is the most direct and effective method for restricting SSH access. This directive allows system administrators to explicitly specify the list of permitted users, while all other users are automatically denied.
Configuration example:
AllowUsers borisThe above configuration means only user boris can log in via SSH. If multiple users need to be allowed, separate them with spaces:
AllowUsers boris alice adminConfiguration Implementation Steps
- Open the SSH configuration file with a text editor:
sudo nano /etc/ssh/sshd_config - Add the
AllowUsersdirective at an appropriate location in the file, specifying the permitted usernames - Save the file and exit the editor
- Restart the SSH service to apply the configuration:
sudo systemctl restart sshd - Verify the configuration is correctly applied:
sudo sshd -t
Security Enhancement Measures
In addition to using the AllowUsers directive, other security measures can be combined:
Public Key Authentication: Disabling password authentication and switching to public key authentication can significantly improve security. Install the public key in the target user's ~/.ssh/authorized_keys file and ensure the private key is protected with a strong passphrase.
Port Modification: Changing the SSH service from the default port 22 to another port (e.g., 3456), while not directly enhancing security, effectively reduces scanning attempts by automated scripts and bots, thereby cleaning up system logs.
Relationship Between User Shell and Login Capability
It is important to note that not all users listed in the /etc/passwd file can log in via SSH. Only those with valid shells (such as /bin/bash or /bin/sh) have login capability. System users typically use /usr/sbin/nologin or /bin/false as their shell, preventing SSH login.
Users with login shells can be viewed with the following command:
grep -E "/(bash|sh|zsh|tcsh|csh|ksh)$" /etc/passwdComprehensive Security Strategy
Best practices recommend adopting a layered security strategy:
- Use
AllowUsersto strictly restrict login-capable users - Enable public key authentication and disable password authentication
- Change the default SSH port
- Configure failed login attempt limits (e.g., using fail2ban)
- Regularly review authentication logs (
/var/log/auth.logor/var/log/secure)
Through these measures, system administrators can establish a secure and manageable SSH access environment, effectively defending against brute-force attacks while ensuring normal access for authorized users.