Iam using MacOS on the desktop and Ubuntu Linux on the server. I disabled root login over ssh and enabled ssh based public key login. However, I recently added second Ubuntu server. I need to sync file between two using rsync command. Is there any way that I can log from the second server into my first server with root user from second server IP address only ({[email protected] }# ssh [email protected]) without reducing OpenSSH server security option?
Yes, you can configure OpenSSH for root login from one IP address or subnet only using Match option. The Match option act as a conditional block. If all of the given conditions are satisfied, OpenSSH can override global section config file. You can limit or grant access to sshd features with the Match option.
Syntax
Match condition
Override config option 1
Override config option 2
- User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
- Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
- Host – Specifies the host to match
- LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
- LocalPort – Same as above.
- Address – Specifies the IP address or IP/subnet to match in CIDR format.
Where should I put Match configuration option?
$ sudo vi /etc/ssh/sshd_config
OR
$ doas vi /etc/ssh/sshd_config
Example: Allow root login from from 192.168.2.5 with ssh-key but disallow everyone else
$ sshd -T
Reload/restart your sshd server, run:
$ sudo /etc/init.d/ssh reload
OR (Debian/Ubuntu Linux)
$ sudo systemctl reload ssh
OR (CentOS/RHEL/Fedora Linux)
$ sudo systemctl reload sshd
OR (OpenBSD)
$ doas /etc/rc.d/sshd restart
OR (FreeBSD)
$ sudo service sshd restart
YOU CAN SETUP MULTIPLE IP ADDRESS/CIDR AS FOLLOWS:
How do I setup conditional username along with an IP address?
Using * and ! pattern
- * – It matches matches zero or more characters.
- ? – It matches exactly one character.
- ! – Patterns within pattern-lists may be negated with !.
A list of keywords that you can use following a Match condition
- AcceptEnv
- AllowAgentForwarding
- AllowGroups
- AllowStreamLocalForwarding
- AllowTcpForwarding
- AllowUsers
- AuthenticationMethods
- AuthorizedKeysCommand
- AuthorizedKeysCommandUser
- AuthorizedKeysFile
- AuthorizedPrincipalsCommand
- AuthorizedPrincipalsCommandUser
- AuthorizedPrincipalsFile
- Banner
- ChrootDirectory
- DenyGroups
- DenyUsers
- ForceCommand
- GatewayPorts
- GSSAPIAuthentication
- HostbasedAcceptedKeyTypes
- HostbasedAuthentication
- HostbasedUsesNameFromPacketOnly
- IPQoS
- KbdInteractiveAuthentication
- KerberosAuthentication
- MaxAuthTries
- MaxSessions
- PasswordAuthentication
- PermitEmptyPasswords
- PermitOpen
- PermitRootLogin
- PermitTTY
- PermitTunnel
- PermitUserRC
- PubkeyAcceptedKeyTypes
- PubkeyAuthentication
- RekeyLimit
- RevokedKeys
- RhostsRSAAuthentication
- RSAAuthentication
- StreamLocalBindMask
- StreamLocalBindUnlink
- TrustedUserCAKeys
- X11DisplayOffset
- X11Forwarding
- X11UseLocalHost
A note about using firewall
Linux: 20 Iptables Examples For New SysAdmins
How to setup a UFW firewall on Ubuntu 16.04 LTS server
References
- sshd_config(5)
- OpenSSH manual page