SSH User Not Allowed on Server Error Resolution

What's Actually Happening

A user with valid credentials attempts to SSH into a server but is rejected before authentication even completes. The SSH daemon has access control directives that explicitly deny or fail to allow the user, preventing any connection regardless of password or key validity.

The Error You'll See

The user sees a generic error:

Permission denied, please try again.

Or after multiple attempts:

Permission denied (publickey,password).

In the server logs (/var/log/auth.log or /var/log/secure):

User username from 192.168.1.50 not allowed because not listed in AllowUsers
User admin from 10.0.0.1 not allowed because listed in DenyUsers
User test from 192.168.1.100 not allowed because not in any group

Why This Happens

SSH supports several access control mechanisms in sshd_config: - AllowUsers - Only listed users can connect - DenyUsers - Listed users cannot connect - AllowGroups - Only users in listed groups can connect - DenyGroups - Users in listed groups cannot connect

If a user doesn't match the allow rules or matches deny rules, access is blocked before authentication proceeds.

Step 1: Check Current SSH Access Configuration

Examine the SSH daemon configuration for access controls:

sudo grep -E "Allow|Deny" /etc/ssh/sshd_config

Look for lines like:

AllowUsers admin deploy
DenyUsers guest test
AllowGroups ssh-users sudo
DenyGroups blocked

Step 2: Verify User's Group Membership

Check which groups the user belongs to:

groups username

Or for a more detailed view:

id username

Compare against any AllowGroups or DenyGroups settings.

Step 3: Check All sshd_config Include Files

Modern SSH configurations may include additional files:

sudo grep -rE "Allow|Deny" /etc/ssh/

This catches access controls in included configuration files.

Step 4: Add User to AllowUsers or AllowGroups

Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

For AllowUsers, add the username:

AllowUsers admin deploy username

Or use group-based access for easier management:

sudo usermod -aG ssh-users username

With configuration:

AllowGroups ssh-users

Step 5: Remove User from DenyUsers or DenyGroups

If the user is in a deny list, either remove them:

DenyUsers guest

Or remove them from a denied group:

sudo gpasswd -d username blocked

Step 6: Understand Rule Processing Order

1. 1.SSH processes rules in this order:
2. 2.DenyUsers
3. 3.AllowUsers
4. 4.DenyGroups
5. 5.AllowGroups

A user must pass all applicable checks. Being in DenyUsers blocks access even if also in AllowUsers.

Step 7: Validate Configuration Before Applying

Test the configuration for syntax errors:

sudo sshd -t

If there are errors, fix them before proceeding.

Step 8: Restart SSH Service

Apply changes by restarting the SSH daemon:

sudo systemctl restart sshd

Or on some systems:

sudo systemctl restart ssh

Verify the Fix

Attempt to connect as the affected user:

ssh -v username@server

Watch for successful authentication:

ssh username@server "echo 'Access granted'"

Check the logs to confirm:

sudo tail -20 /var/log/auth.log | grep username

You should see:

Accepted password for username from 192.168.1.50 port 54321 ssh2

For future maintenance, consider using group-based access control rather than individual user lists for easier management.