Yes, you can configure OpenSSH for root login from one IP address or subnet only using Match option. The Match option act as a conditional block. If all of the given conditions are satisfied, OpenSSH can override global section config file. You can limit or grant access to sshd features with the Match option.
Syntax
The syntax is pretty simple:
Match condition Override config option 1 Override config option 2
You can use the following as condition:
- User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
- Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
- Host – Specifies the host to match
- LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
- LocalPort – Same as above.
- Address – Specifies the IP address or IP/subnet to match in CIDR format.
Where should I put Match configuration option?
You must add config option at the bottom of the config file i.e. /etc/ssh/sshd_config:
$ sudo vi /etc/ssh/sshd_config
OR
$ doas vi /etc/ssh/sshd_config
Example: Allow root login from from 192.168.2.5 with ssh-key but disallow everyone else
Append the following in your /etc/ssh/sshd_config:
## Block root login to every one ##
PermitRootLogin no
## No more password login ##
PermitEmptyPasswords no
PasswordAuthentication no
## Okay allow root login with public ssh key for 192.168.2.5 ##
Match Address 192.168.2.5
PermitRootLogin yesVerify sshd configuration by passing the -T option:
$ sshd -T
Reload/restart your sshd server, run:
$ sudo /etc/init.d/ssh reload
OR (Debian/Ubuntu Linux)
$ sudo systemctl reload ssh
OR (CentOS/RHEL/Fedora Linux)
$ sudo systemctl reload sshd
OR (OpenBSD)
$ doas /etc/rc.d/sshd restart
OR (FreeBSD)
$ sudo service sshd restart
You can setup multiple IP address/CIDR as follows:
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
Match Address 192.168.184.8,202.54.1.1,192.168.1.0/24
PermitRootLogin yesHow do I setup conditional username along with an IP address?
You can combine User and Address condition as follows so that you can allow password login (a bad idea) including tunnel:
### somewhere already disabled everything ### PasswordAuthentication no PermitTunnel no ### but we are allowing user vivek from 192.168.1.0/24 CIDR ### Match User vivek Address 192.168.1.0/24 PermitTunnel yes PasswordAuthentication yes
Using * and ! pattern
You can use the following patterns:
- * – It matches matches zero or more characters.
- ? – It matches exactly one character.
- ! – Patterns within pattern-lists may be negated with !.
Let us see some common examples of pattern matching
## Match 192.168.1.1 to 192.168.1.9 ## Match Address 192.168.1.? PermitRootLogin yes ## Match 192.168.1.{2,3....} ## Match Address 192.168.2.* X11Forwarding no ## Allow any host in the ".home.lan" set of domains ## Match Host *.home.lan X11Forwarding yes ## Allow everyone except foo user ## Match User *,!foo X11Forwarding yes PermitTunnel yes PermitTTY no
A list of keywords that you can use following a Match condition
From the man page ~ available keywords are
- AcceptEnv
- AllowAgentForwarding
- AllowGroups
- AllowStreamLocalForwarding
- AllowTcpForwarding
- AllowUsers
- AuthenticationMethods
- AuthorizedKeysCommand
- AuthorizedKeysCommandUser
- AuthorizedKeysFile
- AuthorizedPrincipalsCommand
- AuthorizedPrincipalsCommandUser
- AuthorizedPrincipalsFile
- Banner
- ChrootDirectory
- DenyGroups
- DenyUsers
- ForceCommand
- GatewayPorts
- GSSAPIAuthentication
- HostbasedAcceptedKeyTypes
- HostbasedAuthentication
- HostbasedUsesNameFromPacketOnly
- IPQoS
- KbdInteractiveAuthentication
- KerberosAuthentication
- MaxAuthTries
- MaxSessions
- PasswordAuthentication
- PermitEmptyPasswords
- PermitOpen
- PermitRootLogin
- PermitTTY
- PermitTunnel
- PermitUserRC
- PubkeyAcceptedKeyTypes
- PubkeyAuthentication
- RekeyLimit
- RevokedKeys
- RhostsRSAAuthentication
- RSAAuthentication
- StreamLocalBindMask
- StreamLocalBindUnlink
- TrustedUserCAKeys
- X11DisplayOffset
- X11Forwarding
- X11UseLocalHost
A note about using firewall
You can always use iptables or pf firewall but can not match user names and other information to control access to the default sshd tcp port 22:
## Allow our subnet to access for 22 on this box using ufw ## sudo ufw allow from 192.168.1.0/24 to any port 22 ## Allow (insert rule) my workstation to access port 22 on this server ## iptables -I INPUT -s 192.168.2.5 -p tcp -m tcp --dport 22 -j ACCEPT ## Allow port 22 (append rule) ## iptables -A INPUT -s 192.168.1.5 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
Related:
Linux: 20 Iptables Examples For New SysAdmins
How to setup a UFW firewall on Ubuntu 16.04 LTS server
References
- sshd_config(5)
- OpenSSH manual page
🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 2 comments... add one ↓
Related Tutorials
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Or you could just SSH -A into your second host to forward your SSH key agent and access your primary server with key as usual.
Also works syntax:
AllowUsers user@192.168.1.2