Howto restrict or control ssh-access for root, users and groups

In order to secure the ssh-access for root and permit it for others with UCS please have a look at the following.


Basically with the UCRV:

ucr set sshd/permitroot=

you can set the following restrictions for root :

  • yes value allows login without restrictions,
  • without-password only allows authentication with public keys without passwords
  • no’ denies root login altogether.

This is one way to keep the default attacks with root on port 22 in check.


The variables in:

ucr search auth/sshd/*

takes care of users and groups.
Please see also our documentation.

With the following example you can set sshd restrictions for users and for groups :

auth/sshd/restrict: yes


In the case below ssh allowed only for to user testssh

ucr set auth/sshd/user/testssh=yes

Valid for Ldap-User and local Users.


Here we restricted only Members of the groups Administrators, Computers, Backup Nodes, Replica Nodes and Domain Admins to use ssh.

auth/sshd/group/Administrators: yes
auth/sshd/group/Computers: yes
auth/sshd/group/DC Backup Nodes: yes
auth/sshd/group/DC Replica Nodes: yes
auth/sshd/group/Domain Admins: yes

Done by:

ucr set auth/sshd/group/yourgroup=yes/no


:warning: Be carefull

Disallowing root and allowing only one LDAP user to access works untill the ldap-service goes down. Consider creating a local user with adduser and using the UCRV:

ucr set sshd/permitroot=without-password

Now you should be safe to reach your system even when the most services but sshd are down.
It is good practice to test the users ssh access before root or Administrators are locked out. But no worries with a broken ssh there is the UMC --> Settings --> Univention Configuration Registry where you can change some sshd-settings accordingly.
And with a broken ssh and no ldap there is still rescue-boot :wink:

Other Services

Login restrictions are supported for:

chfn, chsh, cron, ftp, gdm, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo


You can’t use the traditional AllowUser you might know from a standard sshd_config for the the user settings in ssh, discussed above. Instead look into /etc/univention/base.conf not in /etc/ssh/sshd\_* .