SSH AllowGroups


This option will provide possibility for management of access for Users that are connecting to your server from particular IP.

In this way it's possible to limit access on application level.
So far I know it's not possible to do this kind of user access filter on firewall level.

However this is a useful option, but it will not replace properly configured firewall on your server.

AllowGroups Configuration

Configuration file

Location: “/etc/ssh/sshd_config
I personally prefer to put this rules at end of the file to make it readable.

AllowGroups - Description

This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All of the specified user and group tests must suc‐ceed, before user is allowed to log in.

See PATTERNS in ssh_config(5) for more information on patterns.

Configuration Example:

You can put each user in to separate line

AllowGroups group1                 # Enable access for "group1" from ANY IP
AllowGroups group2                 # Enable acesss for "group2" from ANY IP

Or you can put all access rules in to one line

AllowGroups group1 group2

To make sure that your change will be used at your system you'll need to restart after each update SSHD

/etc/init.d/sshd restart         # For example at CentOS 6
systemctl restart sshd           # At OS with systemd for example CentOS 7


Create user

[root@SSH_SERVER ~]# adduser user1      # Create user1 account and group "user1"
[root@SSH_SERVER ~]# adduser user2      # Create user2 account and group "user2"
[root@SSH_SERVER ~]# passwd user1       # Set password for user1
[root@SSH_SERVER ~]# passwd user2       # Set password for user2

Update SSHD Configuration

[root@SSH_SERVER ~]# vi /etc/ssh/sshd_config                                     # Put your rules at the end of this file
AllowGroups user1                 # Enable access for "user1" from ANY IP
AllowGroups user2                 # Enable acesss for "user2" from ANY IP

Restart SSHD

[root@SSH_SERVER ~]# systemctl restart sshd                                       # Restart SSHD so that the change will take efect

Test to connect

[user@SSH_CLIENT ~]$ ssh user1@SSH_SERVER            # Use rulle "AllowGroups user1"
user1@SSH_SERVER's password:
[user1@SSH_SERVER ~]$

[user1@SSH_SERVER ~]$ ssh user2@            # Use rulle "AllowGroups user2"
user2@'s password:
[user2@SSH_SERVER ~]$
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-allowgroups (generated for current page)