By default all users can SSH into a system with a valid password/public key. For certain dedicated Servers with specific roles, such as FTP Server, E-mail Server, etc.; disabling non-root users to login through SSH is usually recommended. The post details out the steps to disable the non-root user ssh login access to systems. There are 3 different ways discussed here. Either of three ways below could achieve the purpose.
Method 1 – using /etc/ssh/sshd_config file
This method can be used to allow a few users to SSH login. Edit the file /etc/ssh/sshd_config (OpenSSH SSH daemon configuration file) and add keyword AllowUsers with argument root.
# vi /etc/ssh/sshd_config AllowUsers root
Now restart sshd service:
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
Verify that the non-root users are not able to login through SSH but the root user can.
# ssh test@host1 test@host1's password: Permission denied, please try again. test@host1's password: Permission denied, please try again. test@host1's password: Permission denied (publickey,gssapi-with-mic,password).
# ssh root@host1 root@host1's password: Last login: Wed Sep 13 10:47:14 2017 from 10.10.10.10 [root@host1 ~]#
Method 2 - using /etc/nologin file
This is quickest way to block all non-root users from SSH login.
1. Create a file /etc/nologin on the remote host.
# touch /etc/nologin # ls -lrt /etc/nologin -rw-r--r-- 1 root root 0 Sep 13 13:23 /etc/nologin
Make sure the below line is in the file /etc/pam.d/sshd:
account required pam_nologin.so
Note: backup the file /etc/pam.d/sshd before modifying it.
Then restart sshd service:
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
Verify non-root user SSH login:
# ssh test@host1 test@host1's password: Connection closed by 192.168.10.10
Method 3 - using /etc/sshd/sshd.allow file
The file /etc/sshd/sshd.allow is used to specify list of users to whom we want to give ssh access. If we just mention the user root in this file, all other users will be denied ssh access to the host.
1. Add root user to the file /etc/sshd/sshd.allow (if directory/file does not exist, create it manually).
# cat /etc/sshd/sshd.allow root
2. Replace auth line as below in file /etc/pam.d/sshd:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
Here,
auth required pam_listfile.so : Name of the module required while authenticating users.
item=user : Check item user name.
sense=allow : Allow user.
file=/etc/sshd/sshd.allow : User list file.
onerr=fail : If the user name is not in file it will not allow to login.
3. Restart sshd service once you are done with all above changes.
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
4. Verify non-root user SSH login:
# ssh test@host1 test@host1's password: Permission denied, please try again. test@host1's password: Permission denied, please try again. test@host1's password: Permission denied (publickey,gssapi-with-mic,password).
Also verify if you can ssh with root user:
# ssh root@host1 ssh root@host1's password: Last login: Wed Sep 13 14:53:47 2017 from 10.10.10.10 [root@host1 ~]#