On Sun, 2008-12-14 at 22:54 +0000, Chris G wrote:
Solved!
At first I thought it couldn't be done as a Google search turned up someone trying to do something similar and being told it wasn't possible using AllowUsers and DenyUsers, which is true, but there's a new[ish] directive which makes it possible.
The answer is to us a Match section at the end of /etc/ssh/sshd_config as follows:-
Match Address 192.168.1.7 PermitRootLogin without-passwordAs the body of /etc/ssh/sshd_config already has "PermitRootLogin no" this does exactly what I want, it's only possible to ssh to root from 192.168.1.7.
A handy tip and one I was not aware of..as per your initial search results my first instinct was to say it wasn't possible without running two instances of the ssh server on different ports.
However...I am assuming the one machine that needs root needs it for some specific purpose and that being the case would it not have been possible to meddle with sudoers so that a specific user other than root had permission to do whatever it was you need to do from that machine via a promptless sudo ?
That would strike me as the better practice because now with a key only based authentication between two boxes if 192.168.1.7 got compromised then it would have open root access to the other machine.