This SSH error occurs when a user's group is explicitly denied in sshd_config via DenyGroups. Fix it by removing the group restriction, using a Match override, or removing the user from the denied group.
OpenSSH applies access control through DenyGroups and AllowGroups directives in /etc/ssh/sshd_config. When a user attempts to connect, sshd checks if their primary group or any supplementary group matches a DenyGroups pattern. If a match is found, the connection is rejected immediately, even if other rules would allow access. The DenyGroups check takes precedence over AllowGroups, making it a hard block.
Connect to the server via console or as a user who can access it, then examine the SSH configuration:
sudo grep DenyGroups /etc/ssh/sshd_configThis will show which groups are currently denied. Also verify the user's group membership:
id username
groups usernameOpen the SSH configuration file with root privileges:
sudo vi /etc/ssh/sshd_configOr use nano if you prefer:
sudo nano /etc/ssh/sshd_configOption A: Remove or comment out DenyGroups (simplest)
Find the DenyGroups line and comment it out:
#DenyGroups groupnameOption B: Remove only the problematic group from DenyGroups
If you need DenyGroups but just need to exclude this specific group, edit the line:
DenyGroups othergroup1 othergroup2Option C: Use Match block to override for specific users (most flexible)
Add this at the end of sshd_config to allow specific users despite DenyGroups:
Match User username1,username2
DenyGroups noneThis allows you to keep DenyGroups active for most users while exempting specific ones.
Before restarting sshd, check for syntax errors:
sudo sshd -tIf no output is shown, the configuration is valid. If there are errors, you'll see them printed.
Reload or restart sshd to apply the changes:
sudo systemctl restart sshdOr on older systems:
sudo service ssh restartImportant: Keep your current SSH session open in case you need to troubleshoot. Test the connection from a new terminal.
From another terminal (or machine), attempt to SSH:
ssh username@hostnameIf you still can't connect, check the sshd logs:
sudo tail -f /var/log/auth.log
# or on systems using journald:
sudo journalctl -u sshd -fLook for the exact error message to determine if it's still a DenyGroups issue or something else.
Deny directives take strict precedence in OpenSSH. The processing order is: DenyUsers → AllowUsers → DenyGroups → AllowGroups. This means if a user is in DenyGroups, no other allow rule can override it unless you use a Match block. If using Match blocks, place them after the global directives. On systems using domain users or LDAP, group membership may be determined by supplementary groups, so verify with id -G username. On SELinux systems, also check SELinux policies as they may add additional access controls independent of sshd_config.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH