How do I allow or deny specific users in SSH?



By default, OpenSSH allows logins for anyone with a valid password and shell. However, on a Linux system with numerous system accounts, this can be problematic. Imagine that you’re running a mail server, where each mail user has a system account. If you set up an e-mail account for a friend, you may unwittingly give him or her shell access to the system.

Fortunately, OpenSSH can resolve this issue. Use your favorite editor to open the /etc/ssh/sshd_config file, which is the master OpenSSH server configuration. At the end of the file, you can add statements to fine-tune the login restrictions to the system. For example, if your friend has a system account solely for the purpose of obtaining e-mail, add the following statement to the end of the file:

DenyUsers username

Replace username with the name of your friend. This tells OpenSSH to disallow any logins for username, regardless of whether he or she gets the password right. OpenSSH will take the username and password but will return with an incorrect login prompt.

If you want to deny access to several users, use the inverse to deny everyone and then specify access to one or more accounts:

AllowUsers username

This allows only the user named username access to log in to the Linux server.
No one else will have access.
Use as many AllowUsers or DenyUsers keywords that you need to tighten the access controls on the system.