[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH root login from one ip via certificate only, all other logins password only.

James Allsopp wrote:
> Hi,
> I need to have one computer I can ssh to other computers as root for
> Ansible. To do this I've set up a strong certificate with a password, but
> what I want is to only be able to log in as root from one IP using that
> cert. All other users should only log in via a password and can do so from
> any IP.
> Currently normal user logins are broken with this sshd_config. Can anyone
> tell me where I'm going wrong? Sudo is not an option.
> [...]
> #PermitRootLogin no

Change this to "without-password" to force key-based logins.  (Yeah, I
know this is in the global section but I'm not reading through the rest
of your config).

Alternately, if you don't want this as a global setting, an additional
stanza along these lines will take care of it:

match User root Address
  PermitRootLogin without-password

You shouldn't have to bother trying to create any rules for the  other
users, as without a "match" directive, they'll just use the global

|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to: