On Mon, Dec 15, 2008 at 01:30:14AM +0000, Wayne Stallwood wrote:
On Sun, 2008-12-14 at 22:54 +0000, Chris G wrote:
Solved!
At first I thought it couldn't be done as a Google search turned up someone trying to do something similar and being told it wasn't possible using AllowUsers and DenyUsers, which is true, but there's a new[ish] directive which makes it possible.
The answer is to us a Match section at the end of /etc/ssh/sshd_config as follows:-
Match Address 192.168.1.7 PermitRootLogin without-passwordAs the body of /etc/ssh/sshd_config already has "PermitRootLogin no" this does exactly what I want, it's only possible to ssh to root from 192.168.1.7.
A handy tip and one I was not aware of..as per your initial search results my first instinct was to say it wasn't possible without running two instances of the ssh server on different ports.
However...I am assuming the one machine that needs root needs it for some specific purpose and that being the case would it not have been possible to meddle with sudoers so that a specific user other than root had permission to do whatever it was you need to do from that machine via a promptless sudo ?
You're right about the specific purpose, it's so it can do 'pull' backups, i.e. copy data to 192.168.1.7 (which is the backup machine) from the machine it's logging in to.
I think your sudo approach would probably work too and is probably marginally more secure for some cases.
That would strike me as the better practice because now with a key only based authentication between two boxes if 192.168.1.7 got compromised then it would have open root access to the other machine.
I've gone to some lengths to make 192.168.1.7 difficult to get to, no ssh root logins are allowed so to get to root you have first to login as a non-root user (needs a password) and then su to root (needs another password).
In addition since what I'm doing is backups the program the sudo user could run is rdiff-backup which would enable them to do just about anything - copy files, overwrite files, delete files (including all the ssh keys of course!).