Disable SSH for non root users

Question

How do i disable remote access for non-root users over ssh? i would like to do this on demand if possible.

score 8 · Accepted Answer · answered Aug 09 '10 at 12:11

8

Everyone is doing this the hard way.. he said deny for all non-root users.. so just edit

/etc/ssh/sshd_config

Add the following

AllowGroups wheel root

Then restart ssh

Anyone in the wheel or root group will be allowed to ssh in

answered Aug 09 '10 at 12:11

Mike

22,310
7
56
79

he said 'on demand' – b0fh Aug 09 '10 at 12:58

score 4 · Answer 2 · answered Aug 09 '10 at 11:34

4

Several possibilities:

/bin/false as login shell for the normal users in /etc/passwd
Add only root to AllowUsers in /etc/ssh/sshd_config

answered Aug 09 '10 at 11:34

weeheavy

4,089
1
28
41

2

/bin/false in /etc/passwd would also disable local access. – mkudlacek Aug 09 '10 at 11:44

score 1 · Answer 3 · answered Aug 09 '10 at 11:44

Can use PAM as well: cp /etc/security/access.conf /etc/security/sshd.conf
echo "+ : root : ALL" >> /etc/security/sshd.conf
echo "- : ALL : ALL" >> /etc/security/sshd.conf

Then modify /etc/pam.d/sshd to add the following line after the other accounts:
account required pam_access.so accessfile=/etc/security/sshd.conf

This will also allow you to restrict by network if you decide to do so in the future.

score 1 · Answer 4 · answered Aug 09 '10 at 11:56

If you want it to be on-demand, the standard way is to use /etc/nologin (have a look at man 5 nologin).

Creating this file (with an optional message inside) will deny non-admin logins and display the message instead; removing the file will allow logins back.

It can be applied to ssh, local logins, and anything else that uses PAM; just make sure that the PAM configuration for the service requires pam_nologin.so. (It does by default for ssh and console logins on many distributions)

Disable SSH for non root users

4 Answers4