How to allow root login from one IP address with ssh public keys only

I am using MacOS on the desktop and Ubuntu Linux on the server. I disabled root login over ssh and enabled ssh based public key login. However, I recently added second Ubuntu server. I need to sync file between two using rsync command. Is there any way that I can log from the second server into my first server with root user from second server IP address only ({root@secondBOX }# ssh root@firstBOX1) without reducing OpenSSH server security option?

Linux/Unix: Allow root login from one IP address only

Linux/Unix: Allow root login from one IP address only

Yes, you can configure OpenSSH for root login from one IP address or subnet only using Match option. The Match option act as a conditional block. If all of the given conditions are satisfied, OpenSSH can override global section config file. You can limit or grant access to sshd features with the Match option.

Syntax

The syntax is pretty simple:

Match condition 
  Override config option 1
  Override config option 2

You can use the following as condition:

User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
Host – Specifies the host to match
LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
LocalPort – Same as above.
Address – Specifies the IP address or IP/subnet to match in CIDR format.

Where should I put Match configuration option?

You must add config option at the bottom of the config file i.e. /etc/ssh/sshd_config:
$ sudo vi /etc/ssh/sshd_config
OR
$ doas vi /etc/ssh/sshd_config

Example: Allow root login from from 192.168.2.5 with ssh-key but disallow everyone else

Append the following in your /etc/ssh/sshd_config:

## Block root login to every one ##
PermitRootLogin no
 
## No more password login  ##
PermitEmptyPasswords no
PasswordAuthentication no
 
## Okay allow root login with public ssh key for 192.168.2.5 ##
Match Address 192.168.2.5
        PermitRootLogin yes

Verify sshd configuration by passing the -T option:
$ sshd -T
Reload/restart your sshd server, run:
$ sudo /etc/init.d/ssh reload
OR (Debian/Ubuntu Linux)
$ sudo systemctl reload ssh
OR (CentOS/RHEL/Fedora Linux)
$ sudo systemctl reload sshd
OR (OpenBSD)
$ doas /etc/rc.d/sshd restart
OR (FreeBSD)
$ sudo service sshd restart

You can setup multiple IP address/CIDR as follows:

PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
Match Address 192.168.184.8,202.54.1.1,192.168.1.0/24
        PermitRootLogin yes

How do I setup conditional username along with an IP address?

You can combine User and Address condition as follows so that you can allow password login (a bad idea) including tunnel:

### somewhere already disabled everything ###
PasswordAuthentication no
PermitTunnel no
### but we are allowing user vivek from 192.168.1.0/24 CIDR ###
Match User vivek Address 192.168.1.0/24
    PermitTunnel yes
    PasswordAuthentication yes

Using * and ! pattern

You can use the following patterns:

* – It matches matches zero or more characters.
? – It matches exactly one character.
! – Patterns within pattern-lists may be negated with !.

Let us see some common examples of pattern matching

## Match 192.168.1.1 to 192.168.1.9 ##
Match Address 192.168.1.?
   PermitRootLogin yes
 
## Match 192.168.1.{2,3....}  ##
Match Address 192.168.2.* 
    X11Forwarding no
 
## Allow any host in the ".home.lan" set of domains ##
Match Host *.home.lan
    X11Forwarding yes
 
## Allow everyone except foo user ##
Match User *,!foo
      X11Forwarding yes
      PermitTunnel yes
      PermitTTY no

A list of keywords that you can use following a Match condition

From the man page ~ available keywords are

AcceptEnv
AllowAgentForwarding
AllowGroups
AllowStreamLocalForwarding
AllowTcpForwarding
AllowUsers
AuthenticationMethods
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedKeysFile
AuthorizedPrincipalsCommand
AuthorizedPrincipalsCommandUser
AuthorizedPrincipalsFile
Banner
ChrootDirectory
DenyGroups
DenyUsers
ForceCommand
GatewayPorts
GSSAPIAuthentication
HostbasedAcceptedKeyTypes
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IPQoS
KbdInteractiveAuthentication
KerberosAuthentication
MaxAuthTries
MaxSessions
PasswordAuthentication
PermitEmptyPasswords
PermitOpen
PermitRootLogin
PermitTTY
PermitTunnel
PermitUserRC
PubkeyAcceptedKeyTypes
PubkeyAuthentication
RekeyLimit
RevokedKeys
RhostsRSAAuthentication
RSAAuthentication
StreamLocalBindMask
StreamLocalBindUnlink
TrustedUserCAKeys
X11DisplayOffset
X11Forwarding
X11UseLocalHost

A note about using firewall

You can always use iptables or pf firewall but can not match user names and other information to control access to the default sshd tcp port 22:

## Allow our subnet to access for 22 on this box using ufw ##
sudo ufw allow from 192.168.1.0/24 to any port 22
 
## Allow (insert rule) my workstation to access port 22 on this server ##
iptables -I INPUT -s 192.168.2.5 -p tcp -m tcp --dport 22 -j ACCEPT
 
## Allow port 22 (append rule) ##
iptables -A INPUT -s 192.168.1.5 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

References

sshd_config(5)
OpenSSH manual page

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

2 comment

ModuleC says:
June 11, 2017 at 12:03 am
Or you could just SSH -A into your second host to forward your SSH key agent and access your primary server with key as usual.
Rasto says:
June 12, 2017 at 4:49 am
Also works syntax:
AllowUsers user@192.168.1.2

Have a question? Post it on our forum!