How to Disable Users from SSH Access for Remote Login

Removing SSH Access from the Disabled Users

SSH Access by Disabled Users
Simply disabling or locking a user account will not prevent a user from logging into your Remote Server if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. /home/username/.ssh/authorized_keys

Remove or rename the directory .ssh/ in the user's home folder to prevent further SSH authentication capabilities

Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found

Restrict SSH access to only user accounts that should have it. For example, you may create a group called sshlogin and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config

AllowGroups sshlogin

Then add your permitted SSH users to the group sshlogin, and restart the SSH service
sudo adduser username sshlogin
sudo /etc/init.d/ssh restart

External User Database Authentication
Most enterprise networks require centralized authentication and access controls for all system resources. If you have configured your server to authenticate users against external databases, be sure to disable the user accounts both externally and locally, this way you ensure that local fallback authentication is not possible


Related Topic SSH Secured Shell Configurations and Security Best Practices
A to Z Linux Commands quick reference sheet
Remote Mysql Server SSH Login
List of Server Ports and their Assigned Numbers
How to Disable Tagging on Facebook

nScraps.com 2011   Privacy Policy  Terms of Service  Feedback