Objective: Allow ssh root logins from a single IP address and disable root logins from other IP addresses.
To enable root logins via ssh, PermitRootLogin
keyword has to be set to yes
in the /etc/ssh/sshd_config
(OpenSSH daemon configuration) file. To disable root logins, PermitRootLogin
has to be set to no
instead.
To allow only certain hosts or IP addresses to ssh as the root user, the Match
keyword can be used. To allow ssh root logins from foo.example.com
, use the following configuration.
1 2 3 4 5 6 7 8 |
# global config PermitRootLogin no # all other global config here # permit root login Match Host foo.example.com PermitRootLogin yes |
Remember to append the Match
rules at the end of the sshd_config
file. You will need to restart the sshd
daemon for the changes to take effect.
If you need to permit root logins from a few IP blocks, you can use the following syntax.
1 2 3 4 5 6 7 8 |
# global config PermitRootLogin no # all other global config here # permit root login Match Address 192.168.10.10,192.168.1.0/24,10.254.0.0/16 PermitRootLogin yes |
The above configuration will allow root logins from 192.168.10.10
, 192.168.1.0/24
and 10.254.0.0/16
.
If you want to permit a particular user to ssh from a certain IP address, you can use the following syntax.
1 2 3 4 5 6 7 8 9 10 |
# global config PasswordAuthentication no PubkeyAuthentication yes RSAAuthentication yes # all other global config here # permit ssh login for user Match User ibrahim Address 192.168.10.0/24 PasswordAuthentication yes |
The above Match
rule will allow user ibrahim
to use password authentication from the network 192.168.10.0/24
. From other networks, the user will need to use public key authentication method.
Only a subset of keywords can be used with a Match
block. Some of them are: AllowTcpForwarding
, AuthenticationMethods
, Banner
, ChrootDirectory
, PermitRootLogin
, X11Forwarding
. For the full list of keywords, refer to the sshd_config
man page.