# Limit SSH Access on Linux

Allow or deny SSH? You may want to provide secure and limited SSH access to your public hosts, using SSH keys. Here's a simple way to do it.

---

Care for better security with SSH? If you do, perhaps you don't want to allow `root` SSH access to your public hosts, facing the world. Instead, you'd prefer the use of SSH keys for select users, except `root`. Here's a quick guide on how to set this up.

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">These instructions apply to Ubuntu 18.04 and can easily be adapted for the vast majority of Linux platforms.</div>
</div>

Let's start with installing `openssh-server` on your remote Linux host:

```bash
sudo apt-get install -y openssh-server
```

Once installed, you can verify the status of the SSH service with:

```bash
sudo service ssh status
```

A running status of the SSH service is suggested by the line starting with `Active: active (running)` in the related output.

By default, the local user accounts on your remote Linux host (including `root`) are allowed SSH access, using their system credentials. Let's assume you want to enable exclusive SSH access to user `joe`. This could be an existing account, or you can create it with:

```bash
sudo useradd -m -d /home/joe -s /bin/bash joe
```

Set the password for user `joe`:

```bash
sudo passwd joe
```

We can add `joe` to  the `sudoers` and also to a custom `ssh` group (e.g. for users with SSH access):

```bash
sudo usermod -aG sudo,ssh joe
```

Let's give user `joe` exclusive SSH access. Make the following changes in the `/etc/ssh/sshd-config` file:

```plaintext
AllowUsers joe
```

Alternatively, we could enable exclusive SSH access to the `ssh` group (in `/etc/ssh/sshd_config`):

```bash
#AllowUsers joe
AllowGroups ssh
```

Restart the SSH service to make changes effective:

```bash
sudo service ssh restart
```

Now for any other user, except `joe` (or users in the `ssh` group, if you chose the `AllowGroups ssh` alternative), the SSH login attempt would result in a permission error:

`Permission denied, please try again.`

Let's try to further secure SSH access and replace the SSH password authentication with public key authentication. For this, you'll need to generate a public/private key pair on the *client machine* used for SSH access. You may already have this key pair generated (check for the `~/.ssh/id_rsa` and the `~/.ssh/id_rsa.pub` files). Here's the command to generate the key pair:

```bash
ssh-keygen -t rsa -C "NAME"
```

Replace `NAME` with the name of your local client machine, or anything you'd prefer to name your public key with. You can verify the newly generated public key with:

```bash
cat ~/.ssh/id_rsa.pub
```

Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.

```bash
ssh-copy-id -i .ssh/id_rsa.pub joe@your_remote_host
```

At this point you'll be able to SSH into your remote Linux host *without* password authentication:

```bash
ssh joe@your_remote_host
```

Finally, *disable* the SSH password authentication and *enable* the SSH public key authentication, on your remote Linux host. Make the following changes in `/etc/ssh/sshd_config`:

```bash
PasswordAuthentication no
PubkeyAuthentication yes
```

Restart the SSH service.

```bash
sudo service ssh restart
```

You have now SSH access limited to select users (`joe`, or users in `ssh` group), using SSH keys for authentication.
