Limit SSH Access on Linux

Limit SSH Access on Linux

Allow or deny SSH? You may want to provide secure and limited SSH access to your public hosts, using SSH keys. Here's a simple way to do it.


Care for better security with SSH? If you do, perhaps you don't want to allow root SSH access to your public hosts, facing the world. Instead, you'd prefer the use of SSH keys for select users, except root. Here's a quick guide on how to set this up.

💡
These instructions apply to Ubuntu 18.04 and can easily be adapted for the vast majority of Linux platforms.

Let's start with installing openssh-server on your remote Linux host:

sudo apt-get install -y openssh-server

Once installed, you can verify the status of the SSH service with:

sudo service ssh status

A running status of the SSH service is suggested by the line starting with Active: active (running) in the related output.

By default, the local user accounts on your remote Linux host (including root) are allowed SSH access, using their system credentials. Let's assume you want to enable exclusive SSH access to user joe. This could be an existing account, or you can create it with:

sudo useradd -m -d /home/joe -s /bin/bash joe

Set the password for user joe:

sudo passwd joe

We can add joe to the sudoers and also to a custom ssh group (e.g. for users with SSH access):

sudo usermod -aG sudo,ssh joe

Let's give user joe exclusive SSH access. Make the following changes in the /etc/ssh/sshd-config file:

AllowUsers joe

Alternatively, we could enable exclusive SSH access to the ssh group (in /etc/ssh/sshd_config):

#AllowUsers joe
AllowGroups ssh

Restart the SSH service to make changes effective:

sudo service ssh restart

Now for any other user, except joe (or users in the ssh group, if you chose the AllowGroups ssh alternative), the SSH login attempt would result in a permission error:

Permission denied, please try again.

Let's try to further secure SSH access and replace the SSH password authentication with public key authentication. For this, you'll need to generate a public/private key pair on the client machine used for SSH access. You may already have this key pair generated (check for the ~/.ssh/id_rsa and the ~/.ssh/id_rsa.pub files). Here's the command to generate the key pair:

ssh-keygen -t rsa -C "NAME"

Replace NAME with the name of your local client machine, or anything you'd prefer to name your public key with. You can verify the newly generated public key with:

cat ~/.ssh/id_rsa.pub

Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.

ssh-copy-id -i .ssh/id_rsa.pub joe@your_remote_host

At this point you'll be able to SSH into your remote Linux host without password authentication:

ssh joe@your_remote_host

Finally, disable the SSH password authentication and enable the SSH public key authentication, on your remote Linux host. Make the following changes in /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Restart the SSH service.

sudo service ssh restart

You have now SSH access limited to select users (joe, or users in ssh group), using SSH keys for authentication.