< Previous | Contents | Next >
1.5.1. SSH Access by Disabled Users
Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access, e.g. /home/username/.ssh/authorized_keys.
Remove or rename the directory .ssh/ in the user's home folder to prevent further SSH authentication capabilities.
Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.
who | grep username (to get the pts/# terminal)
sudo pkill -f pts/#
Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file / etc/ssh/sshd_config.
AllowGroups sshlogin
Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.
sudo adduser username sshlogin
sudo systemctl restart sshd.service