On Sun, Dec 14, 2008 at 06:52:55PM +0000, Chris G wrote:
By default I have sshd set up to disallow root logins, if I want to get to root from a remote login I login as myself (one password) and then su to root (another password).
However I want to allow root login from one other system on the local LAN. To this end I added the following to the end of sshd_config:-
PasswordAuthentication no AllowUsers root@192.168.1.7However this, of course, prevents anyone logging in from anywhere except for root@192.168.1.7.
How can I allow any non-root user from anywhere but root only from 192.168.1.7?
Solved!
At first I thought it couldn't be done as a Google search turned up someone trying to do something similar and being told it wasn't possible using AllowUsers and DenyUsers, which is true, but there's a new[ish] directive which makes it possible.
The answer is to us a Match section at the end of /etc/ssh/sshd_config as follows:-
Match Address 192.168.1.7 PermitRootLogin without-password
As the body of /etc/ssh/sshd_config already has "PermitRootLogin no" this does exactly what I want, it's only possible to ssh to root from 192.168.1.7.