How to allow direct root access via SSH on certain IP range?

1. I would like to login to root via ssh directly while at home (192.168.1.0/24).

2. But while outside (e.g. at work), I can still login via ssh by using one of the custom accounts I created.

I just tried:

Code:
    Match Address 192.168.1.0/24
            PermitRootLogin yes

and now I'm completely locked out of the box. I can't login while at work and from home as well (I sshed into my other FreeBSD box).

Any ideas on how this can be done? Thank you
 
Last edited by a moderator:
Get in the habit of doing # sshd -t before reloading the configuration or restarting the daemon. sshd(8) restarted via /etc/rc.d/sshd isn't too chatty when there's an error in the configuration and you might think there's no error when in reality you have no sshd(8) running anymore. What you posted is basically how it's done but there might be some other errors in your configuration that are not shown.
 
Get in the habit of doing # sshd -t before reloading the configuration or restarting the daemon. sshd(8) restarted via /etc/rc.d/sshd isn't too chatty when there's an error in the configuration and you might think there's no error when in reality you have no sshd(8) running anymore. What you posted is basically how it's done but there might be some other errors in your configuration that are not shown.

That's the only changed I made though. Surprised it broke if that is correct. I'll try your suggestion once I get home. Thanks! :)
 
This is what I have on my OpenBSD system (addresses censored):

Code:
Match Address 10.x.y.0/24,2001:mmmm:nnnn:8321::/64,127.0.0.1,::1
  PasswordAuthentication yes
  X11Forwarding yes
#  PermitRootLogin yes

I have PermitRootLogin disabled but I could enable it by just uncommenting the line and reloading configuration.
 
Hello,

You need only

Code:
PermitRootLogin yes
AllowUsers root@192.168.1.0/24

in your sshd_config.

Those lines will allow root login from 192.168.1. network, and will deny root login from any other networks.

Edit: And you should match any other users with AllowGroups or more elegant would be:

Code:
Match host "192.168.1.*"
PermitRootLogin yes

which will allow root login only from 192.168.1. , but will not restrict any-other-user login from everywhere.
 
Back
Top