This SSH error occurs when a user's group membership does not match the AllowGroups directive in sshd_config. The fix involves adding the user's group to the allowed groups list or verifying group membership.
The SSH daemon (sshd) restricts login access based on group membership through the AllowGroups directive. When AllowGroups is configured, only users whose primary group or any supplementary group matches one of the specified patterns are permitted to authenticate. This error indicates the connecting user's groups do not match any entry in the AllowGroups configuration, preventing authentication before credential verification.
View the SSH daemon configuration to see which groups are allowed:
sudo grep AllowGroups /etc/ssh/sshd_configIf the line is commented out (starts with #) or missing, all groups are allowed. If present, note the group names listed.
Check what groups the user belongs to:
id usernameLook for the user's primary group (first group) and supplementary groups (listed after "groups="). Compare these against the AllowGroups configuration from step 1.
If the user's groups don't match AllowGroups, add them to an appropriate allowed group:
sudo usermod -aG allowed_group_name usernameReplace allowed_group_name with one of the groups specified in AllowGroups (e.g., ssh-users, sysadmin, developers).
If the group specified in AllowGroups doesn't exist, create it:
sudo groupadd ssh-users
sudo usermod -aG ssh-users usernameThen verify the group was created:
getent group ssh-usersFor local groups, the user may need to log out completely and log back in to refresh their group membership cache. If they have active sessions, group changes may not be reflected immediately. Kill existing sessions:
sudo pkill -u usernameThen have the user attempt to SSH again.
If using LDAP and group names contain spaces, ensure the sshd_config directive uses quotes:
AllowGroups "Domain Users" "SSH Access"Without quotes, spaces in group names cause parsing issues. Edit /etc/ssh/sshd_config and restart sshd:
sudo systemctl restart sshdThe allow/deny directives are processed in order: DenyUsers → AllowUsers → DenyGroups → AllowGroups. A user passes all checks to gain access. On Linux systems with NSS (Name Service Switch), group membership may be cached by the system; the getent group command shows the authoritative group membership from configured sources (local /etc/group, LDAP, NIS, etc.). In enterprise environments using LDAP or Active Directory, group membership changes may take time to propagate to all machines due to caching; if a user was just added to a group, wait a few minutes and retry. For Windows OpenSSH, supplementary group support varies by version and may require local group workarounds.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH