Re: SSH root login from one ip via certificate only, all other logins password only.

To: debian-user@lists.debian.org
Subject: Re: SSH root login from one ip via certificate only, all other logins password only.
From: Dan Purgert <dan@djph.net>
Date: Wed, 29 Aug 2018 13:05:08 -0000 (UTC)
Message-id: <[🔎] slrnpod6g4.u91.dan@xps-linux.djph.net>
References: <[🔎] CAD3_CNPfcgzVBgyH7hfxAJRuE1Or0ayCwA2zqJMR5dS3cmX7YA@mail.gmail.com>

James Allsopp wrote:
> Hi,
> I need to have one computer I can ssh to other computers as root for
> Ansible. To do this I've set up a strong certificate with a password, but
> what I want is to only be able to log in as root from one IP using that
> cert. All other users should only log in via a password and can do so from
> any IP.
>
> Currently normal user logins are broken with this sshd_config. Can anyone
> tell me where I'm going wrong? Sudo is not an option.
>
> [...]
> #PermitRootLogin no

Change this to "without-password" to force key-based logins.  (Yeah, I
know this is in the global section but I'm not reading through the rest
of your config).

Alternately, if you don't want this as a global setting, an additional
stanza along these lines will take care of it:

match User root Address 192.0.2.10
  PermitRootLogin without-password

You shouldn't have to bother trying to create any rules for the  other
users, as without a "match" directive, they'll just use the global
settings


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to:

References:
- SSH root login from one ip via certificate only, all other logins password only.
  - From: James Allsopp <jamesaallsopp@googlemail.com>

Prev by Date: Re: mailing list vs "the futur"
Next by Date: Re: mailing list vs "the futur"
Previous by thread: Re: SSH root login from one ip via certificate only, all other logins password only.
Next by thread: sid upgrade problem
Index(es):
- Date
- Thread