Secure SSH Access on Ubuntu Using AllowGroups

This article explains the AllowGroups directive in OpenSSH, detailing what it is and how to implement it to secure SSH access on Ubuntu Linux. By restricting SSH login permissions to specific user groups, system administrators can significantly reduce the attack surface of their servers and prevent unauthorized access.

Understanding the AllowGroups Directive

The AllowGroups directive is a security feature within the OpenSSH daemon configuration (sshd_config). It acts as a strict whitelist, specifying exactly which user groups are permitted to log in to the server via SSH.

When you define one or more groups using this directive, the SSH daemon will immediately reject connection attempts from any user who is not a member of the specified groups. This rejection occurs even if the user has valid credentials (such as a password or SSH key). It is one of the most effective ways to enforce the principle of least privilege on a Linux server.

Why Use AllowGroups for SSH Security?

Using AllowGroups offers several security advantages over individual user management:

• Centralized Access Control: Instead of modifying the SSH configuration file every time a new user requires remote access, you can manage access by simply adding or removing users from a designated system group.
• Protection Against Brute-Force Attacks: Standard system accounts (like service accounts or system users) are automatically blocked from SSH access because they do not belong to the allowed SSH group.
• Reduced Human Error: Managing access via group membership reduces the risk of accidentally exposing sensitive accounts to external SSH login attempts.

How to Configure AllowGroups on Ubuntu

Follow these steps to configure and secure your Ubuntu SSH server using the AllowGroups directive.

Step 1: Create a Dedicated SSH Group

First, create a new system group that will be granted SSH access. In this example, we will name the group sshusers.

sudo groupadd sshusers

Step 2: Add Users to the Group

Add the users who require SSH access to the newly created group. Replace username with the actual username of the account.

sudo usermod -aG sshusers username

To verify that the user has been successfully added to the group, run:

groups username

Step 3: Edit the SSH Daemon Configuration

Open the SSH daemon configuration file using a text editor with root privileges:

sudo nano /etc/ssh/sshd_config

Scroll to the bottom of the file and add the AllowGroups directive followed by the name of your group:

AllowGroups sshusers

Note: You can specify multiple groups by separating them with spaces (e.g., AllowGroups sshusers admin-ssh).

Step 4: Test the Configuration

Before restarting the SSH service, always test the configuration file for syntax errors to avoid locking yourself out of the server.

sudo sshd -t

If this command returns no output, the configuration is valid.

Step 5: Restart the SSH Service

Apply the changes by restarting the SSH daemon:

sudo systemctl restart ssh

Active SSH sessions will not be disconnected, but all new connection attempts will now be filtered based on the new AllowGroups rule. Always keep your current terminal session open and test the connection in a new window to ensure you can still log in.