Limit SSH Access on Linux

Allow or deny SSH? You may want to provide a secure and limited SSH access to your public hosts, using SSH keys. Here's a simple a way to do it.

Limit SSH Access on Linux

Care for a better security with SSH?

If you do, perhaps you don't want to allow root SSH access to your public hosts, facing the world. Instead you'd prefer the use of SSH keys for select users, except root. Here's a quick guide on how to set this up.

These instructions apply for Ubuntu 18.04 and can easily be adapted for the vast majority of Linux platforms.

Let's start with installing openssh-server on your remote Linux host:

sudo apt-get install -y openssh-server

Once installed, you can verify the status of the SSH service with:

sudo service ssh status

A running status of the SSH service should yield an output similar to:

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enab
   Active: active (running) since Thu 2019-01-31 23:02:43 EST; 15s ago
 Main PID: 2563 (sshd)
    Tasks: 1 (limit: 2321)
   CGroup: /system.slice/ssh.service
           └─2563 /usr/sbin/sshd -D

Jan 31 23:02:43 ginger systemd[1]: Starting OpenBSD Secure Shell server...
Jan 31 23:02:43 ginger sshd[2563]: Server listening on port 22.
Jan 31 23:02:43 ginger sshd[2563]: Server listening on :: port 22.
Jan 31 23:02:43 ginger systemd[1]: Started OpenBSD Secure Shell server.

By default, the local user accounts on your remote Linux host (including root) are allowed SSH access, using their system credentials. Let's assume you want to enable exclusive SSH access to user joe. This could be an existing account, or you can create it with:

sudo useradd -m -d /home/joe -s /bin/bash joe

Set the password for user joe:

sudo passwd joe

We can add joe to  the sudoers and also to a custom ssh group (e.g. for users with SSH access):

sudo usermod -aG sudo,ssh joe

Let's give  joe exclusive SSH access. Make the following change in the /etc/ssh/sshd-config file:

AllowUsers joe

Alternatively we could enable exclusive SSH access to the ssh group:

#AllowUsers joe
AllowGroups ssh

Restart the SSH service to make changes effective:

sudo service ssh restart

Now for any other user, except joe (or users in the ssh group, if you chose the AllowGroups ssh alternative), the SSH login attempt would result in a permission error:

Permission denied, please try again.

Let's try to further secure SSH access and replace the SSH password authentication with public key authentication. For this you'll need to generate a public/private key pair on the client machine used for SSH access. You may already have this key pair generated (check for the ~/.ssh/id_rsa and the ~/.ssh/ files). Here's the command to generate the key pair:

ssh-keygen -t rsa -C "NAME"

Replace NAME with the name of your local client machine, or anything you'd prefer to name your public key with. You can verify the newly generated public key with:

cat ~/.ssh/

Next, copy the public key to your remote Linux host, targeted for SSH access. Keep in mind that at this time you still need to have password authentication enabled on your remote Linux host.

ssh-copy-id -i .ssh/ joe@your_remote_host

At this point you'll be able to SSH into your remote Linux host without password authentication:

ssh joe@your_remote_host

Finally, disable the SSH password authentication and enable the SSH public key authentication, on your remote Linux host. Make the following changes in /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Restart the SSH service.

sudo service ssh restart

You have now SSH access limited to select users (joe, or users in ssh group), using SSH keys for authentication.