How to allow root login from one IP address with ssh public keys only

Iam using MacOS on the desktop and Ubuntu Linux on the server. I disabled root login over ssh and enabled ssh based public key login. However, I recently added second Ubuntu server. I need to sync file between two using rsync command. Is there any way that I can log from the second server into my first server with root user from second server IP address only ({[email protected] }# ssh [email protected]) without reducing OpenSSH server security option?

Linux/Unix: Allow root login from one IP address only
Yes, you can configure OpenSSH for root login from one IP address or subnet only using Match option. The Match option act as a conditional block. If all of the given conditions are satisfied, OpenSSH can override global section config file. You can limit or grant access to sshd features with the Match option.


The syntax is pretty simple:

You can use the following as condition:
  1. User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
  2. Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
  3. Host – Specifies the host to match
  4. LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
  5. LocalPort – Same as above.
  6. Address – Specifies the IP address or IP/subnet to match in CIDR format.

Where should I put Match configuration option?

You must add config option at the bottom of the config file i.e. /etc/ssh/sshd_config:
$ sudo vi /etc/ssh/sshd_config
$ doas vi /etc/ssh/sshd_config

Example: Allow root login from from with ssh-key but disallow everyone else

Append the following in your /etc/ssh/sshd_config:
Verify sshd configuration by passing the -T option:
$ sshd -T
Reload/restart your sshd server, run:
$ sudo /etc/init.d/ssh reload
OR (Debian/Ubuntu Linux)
$ sudo systemctl reload ssh
OR (CentOS/RHEL/Fedora Linux)
$ sudo systemctl reload sshd
OR (OpenBSD)
$ doas /etc/rc.d/sshd restart
OR (FreeBSD)
$ sudo service sshd restart


How do I setup conditional username along with an IP address?

You can combine User and Address condition as follows so that you can allow password login (a bad idea) including tunnel:

Using * and ! pattern

You can use the following patterns:
  1. * – It matches matches zero or more characters.
  2. ? – It matches exactly one character.
  3. ! – Patterns within pattern-lists may be negated with !.
Let us see some common examples of pattern matching

A list of keywords that you can use following a Match condition

From the man page ~ available keywords are
  1. AcceptEnv
  2. AllowAgentForwarding
  3. AllowGroups
  4. AllowStreamLocalForwarding
  5. AllowTcpForwarding
  6. AllowUsers
  7. AuthenticationMethods
  8. AuthorizedKeysCommand
  9. AuthorizedKeysCommandUser
  10. AuthorizedKeysFile
  11. AuthorizedPrincipalsCommand
  12. AuthorizedPrincipalsCommandUser
  13. AuthorizedPrincipalsFile
  14. Banner
  15. ChrootDirectory
  16. DenyGroups
  17. DenyUsers
  18. ForceCommand
  19. GatewayPorts
  20. GSSAPIAuthentication
  21. HostbasedAcceptedKeyTypes
  22. HostbasedAuthentication
  23. HostbasedUsesNameFromPacketOnly
  24. IPQoS
  25. KbdInteractiveAuthentication
  26. KerberosAuthentication
  27. MaxAuthTries
  28. MaxSessions
  29. PasswordAuthentication
  30. PermitEmptyPasswords
  31. PermitOpen
  32. PermitRootLogin
  33. PermitTTY
  34. PermitTunnel
  35. PermitUserRC
  36. PubkeyAcceptedKeyTypes
  37. PubkeyAuthentication
  38. RekeyLimit
  39. RevokedKeys
  40. RhostsRSAAuthentication
  41. RSAAuthentication
  42. StreamLocalBindMask
  43. StreamLocalBindUnlink
  44. TrustedUserCAKeys
  45. X11DisplayOffset
  46. X11Forwarding
  47. X11UseLocalHost

A note about using firewall


Trả lời

Close Menu