Trace: ssh-allowusers

Table of Contents

SSH AllowUsers

Preface

This option will provide possibility for management of access for Users that are connecting to your server from particular IP.

In this way it's possible to limit access on application level.
So far I know it's not possible to do this kind of user access filter on firewall level.

However this is a useful option, but it will not replace properly configured firewall on your server.

AllowUsers Configuration

Configuration file

Location: “/etc/ssh/sshd_config
I personally prefer to put this rules at end of the file to make it readable.

AllowUsers - Description

This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All of the specified user and group tests must succeed, before user is allowed to log in.

See PATTERNS in ssh_config(5) for more information on patterns.

Configuration Example:

You can put each user in to separate line 

AllowUsers user1@*                 # Enable access for "user1" from ANY IP
AllowUsers user2@10.0.0.1          # Enable acesss for "user2" from 10.0.0.1 IP
AllowUsers *@127.0.0.1             # Enable access for ANYONE  from 127.0.0.1 IP

Or you can put all access rules in to one line 

AllowUsers user1@* user2@10.0.0.1 *@127.0.0.1

To make sure that your change will be used at your system you'll need to restart after each update SSHD 

/etc/init.d/sshd restart         # For example at CentOS 6
systemctl restart sshd           # At OS with systemd for example CentOS 7

Example:

Create user

[root@SSH_SERVER ~]# adduser user1      # Create user1 account
[root@SSH_SERVER ~]# adduser user2      # Create user2 account
[root@SSH_SERVER ~]# passwd user1       # Set password for user1
...
[root@SSH_SERVER ~]# passwd user2       # Set password for user2
...

Update SSHD Configuration

[root@SSH_SERVER ~]# vi /etc/ssh/sshd_config                                     # Put your rules at the end of this file
....
AllowUsers user1@*                 # Enable access for "user1" from ANY IP
AllowUsers user2@10.0.0.1          # Enable acesss for "user2" from 10.0.0.1 IP
AllowUsers *@127.0.0.1             # Enable access for ANYONE  from 127.0.0.1 IP

Restart SSHD

[root@SSH_SERVER ~]# systemctl restart sshd                                       # Restart SSHD so that the change will take efect

Test to connect

[user@SSH_CLIENT ~]$ ssh user1@SSH_SERVER            # Use rulle "AllowUsers user1@*"
user1@SSH_SERVER's password:
[user1@SSH_SERVER ~]$

[user1@SSH_SERVER ~]$ ssh user2@127.0.0.1            # Use rulle "AllowUsers *@127.0.0.1"
user2@127.0.0.1's password:
[user2@SSH_SERVER ~]$

[user@SSH_SERVER ~]$ ssh user2@SSH_SERVER            # Use rulle "AllowUsers user2@10.0.0.1"
user2@SSH_SERVER's password:
Permission denied, please try again.
user2@SSH_SERVER's password:
Permission denied, please try again.
user2@SSH_SERVER's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

You are here: start » wiki » infrastructure_tools » ssh » ssh-allowusers

Navigation

Infrastructure Tools
- Nagios
- Netdisco
- NTP
- SNMP
- SSH
- WMI

OS
- CentOS
- Slackware
- HP Unix

HW
- Cables
- WI-FI / WLAN

Programming Languages
- AWK
- Expect
- Perl
- Shell

Philosophy
- Philosophy

Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-allowusers (generated for current page)