This SSH error occurs when a user's group membership does not match the AllowGroups directive in sshd_config. The fix involves adding the user's group to the allowed groups list or verifying group membership.
The SSH daemon (sshd) restricts login access based on group membership through the AllowGroups directive. When AllowGroups is configured, only users whose primary group or any supplementary group matches one of the specified patterns are permitted to authenticate. This error indicates the connecting user's groups do not match any entry in the AllowGroups configuration, preventing authentication before credential verification.
View the SSH daemon configuration to see which groups are allowed:
sudo grep AllowGroups /etc/ssh/sshd_configIf the line is commented out (starts with #) or missing, all groups are allowed. If present, note the group names listed.
Check what groups the user belongs to:
id usernameLook for the user's primary group (first group) and supplementary groups (listed after "groups="). Compare these against the AllowGroups configuration from step 1.
If the user's groups don't match AllowGroups, add them to an appropriate allowed group:
sudo usermod -aG allowed_group_name usernameReplace allowed_group_name with one of the groups specified in AllowGroups (e.g., ssh-users, sysadmin, developers).
If the group specified in AllowGroups doesn't exist, create it:
sudo groupadd ssh-users
sudo usermod -aG ssh-users usernameThen verify the group was created:
getent group ssh-usersFor local groups, the user may need to log out completely and log back in to refresh their group membership cache. If they have active sessions, group changes may not be reflected immediately. Kill existing sessions:
sudo pkill -u usernameThen have the user attempt to SSH again.
If using LDAP and group names contain spaces, ensure the sshd_config directive uses quotes:
AllowGroups "Domain Users" "SSH Access"Without quotes, spaces in group names cause parsing issues. Edit /etc/ssh/sshd_config and restart sshd:
sudo systemctl restart sshdThe allow/deny directives are processed in order: DenyUsers → AllowUsers → DenyGroups → AllowGroups. A user passes all checks to gain access. On Linux systems with NSS (Name Service Switch), group membership may be cached by the system; the getent group command shows the authoritative group membership from configured sources (local /etc/group, LDAP, NIS, etc.). In enterprise environments using LDAP or Active Directory, group membership changes may take time to propagate to all machines due to caching; if a user was just added to a group, wait a few minutes and retry. For Windows OpenSSH, supplementary group support varies by version and may require local group workarounds.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
No more authentication methods to try.
How to fix "No more authentication methods to try." in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH