You haven't posted your entire sshd_config
, so it's a little hard to reproduce the situation, but this seems to work:
# Main config prohibits all logins
PermitRootLogin no
AllowUsers root
# Permit root logins from a specific address
Match Address 192.168.1.20
PermitRootLogin yes
# Allow logins to anyone in "ssh" group.
Match Group ssh
AllowUsers *
Another solution is:
Have the following in your
sshd_config
:AllowGroups ssh PermitRootLogin without-password
Make
root
a member of thessh
group.usermod -a -G ssh root
Add a public key to
/root/.ssh/authorized_keys
with a restricted source address, like this:from=192.168.1.20 ssh-rsa ...
This will get you what you want:
- Only members of the
ssh
group can log in. root
can only log in from the specific ip address in theauthorized_keys
file.