Home Linux Security How to Disable SSH Login to Specific User in Linux

How to Disable SSH Login to Specific User in Linux

As you might already know, SSH (Secure Shell) is a network protocol for securely accessing a computer remotely. The server and client software in Linux are thereby known as SSH Server and SSH Client respectively and have many implementations.

By default, SSH allows you to log in to any user of the computer, as long as you have the password for the user. However, this comes with the same problem which is faced by any software using password-based authentication: an invitation for an attacker to exploit and gain admin access.

Today, we will see how to disable SSH login to a specific user, and more importantly, to the root user.

Disable SSH Access to User

You can log in to a system using SSH with any user, using the following syntax:

$ ssh tempuser@localhost
SSH User Login
SSH User Login

Right now, SSH access is allowed on my machine for all users. Let us now deny access to a particular user called ‘tempuser‘.

Open file ‘/etc/ssh/sshd_config’ in any text editor.

$ sudo vim /etc/ssh/sshd_config

Add the following line at the end of the file:

DenyUsers	tempuser

Important: There is a ‘Tab‘ between ‘DenyUsers‘ and ‘tempuser‘ and not space. It won’t recognize the directive if you add a space.

Disable SSH Login to User
Disable SSH Login to User

Save and exit the file.

Restart SSH server with the following command:

$ sudo systemctl restart sshd

If you are using a system that does not have SystemD, run:

$ sudo service sshd restart

Now, try logging in to localhost with user ‘tempuser’ using SSH. It should show the error ‘Permission denied’, as displayed below:

$ ssh tempuser@localhost
SSH Permission Denied Error
SSH Permission Denied Error

Disable SSH Root Access

The same way described above can be used to disable login to a root user. However to disable complete root access, i.e., to disable access to all root users, follow the steps given below.

Open the file ‘/etc/ssh/sshd_config’ in any text editor and search for the string ‘PermitRootLogin’. Uncomment the line and if it has any other value, set the value to ‘no’.

PermitRootLogin  no
Disable SSH Root Login
Disable SSH Root Login

Save and exit the file. Restart SSH with:

$ sudo systemctl restart sshd

Or if you are not having SystemD:

$ sudo service sshd restart

Now try logging in to localhost with user ‘root’. It will also show the error ‘Permission Denied’.

$ ssh root@localhost
SSH Permission Denied Error
SSH Permission Denied Error
Conclusion

In this article, we learned how to disable SSH login access to a specific user. Restricting access to a Non-root user depends on individual scenarios, however, access to Root must be always restricted.

If there is a need for remote Root access, you should set up SSH with RSA authentication, which is more secure than password authentication. Read the man page of SSH (‘man ssh’) for more details.

Thanks for reading and let us know your thoughts in the comments section below!

Ravi Saive
I am an Experienced GNU/Linux expert and a full-stack software developer with over a decade in the field of Linux and Open Source technologies. Founder of TecMint.com, LinuxShellTips.com, and Fossmint.com. Over 150+ million people visited my websites.

Each tutorial at UbuntuMint is created by a team of experienced writers so that it meets our high-quality standards.

Was this article helpful? Please add a comment to show your appreciation and support.

3 thoughts on “How to Disable SSH Login to Specific User in Linux”

  1. At least on Fedora 28, this is what I get with ssh.

    $ sudo systemctl restart ssh
    
    Failed to restart ssh.service: Unit ssh.service not found.
    

    So it seems at least on some systems `restart sshd` is required

    Reply
    • It’s the same, sshd.service is just an alias to ssh.service.

      Also, a tab after DenyUsers is not necessary or important, space works just fine.

      Reply

Got something to say? Join the discussion.

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published or shared. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.