•  09-10-2022
  •  | 
  •  

Question

I've got several servers with the following sshd configuration.

# Authentication:
PermitRootLogin no
AllowGroups ssh
PubkeyAuthentication yes
PasswordAuthentication no

This means every user in group "ssh" can login but only with pubkey. The login of root is not allowed.

But there must be an exception for root: my backup server with $ip must login as root.

I tried:

AllowUsers root@$ip
AllowGroups ssh

But AllowUsers overwrites the AllowGroups statement. So only root from $ip can login in.

Match User root, Address $ip
    PermitRootLogin {yes|without-password}
    AllowUsers root

and

Match Address $ip
    PermitRootLogin {yes|without-password}
    AllowUsers *

Both are completely ignored. Still normal users in group "ssh" can login only.

It's a simply scenario with user login restricted to pubkey and root login restricted to pubkey and certain ip. How to solve?

Was it helpful?

Solution

You haven't posted your entire sshd_config, so it's a little hard to reproduce the situation, but this seems to work:

# Main config prohibits all logins
PermitRootLogin no
AllowUsers root

# Permit root logins from a specific address
Match Address 192.168.1.20
  PermitRootLogin yes

# Allow logins to anyone in "ssh" group.
Match Group ssh
  AllowUsers *

Another solution is:

  • Have the following in your sshd_config:

    AllowGroups ssh
PermitRootLogin without-password

  • Make root a member of the ssh group.

    usermod -a -G ssh root

  • Add a public key to /root/.ssh/authorized_keys with a restricted source address, like this:

    from=192.168.1.20 ssh-rsa ...

This will get you what you want:

  • Only members of the ssh group can log in.
  • root can only log in from the specific ip address in the authorized_keys file.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top