ssh: how to permit root login only from local network / ip
Posted on October 22, 2008
From version 4.3p2, sshd supports an interesting option called Match. At the time of writing, this is the version supplied with Debian Etch (stable).
This patch extends sshd_config to support syntax such as:
AllowTcpForwarding no
Match Address 192.168.32.*,127.0.0.1
AllowTcpForwarding yes
GatewayPorts no
Match User bar,baz
AllowTcpForwarding yes
Match Host t*
AllowTcpForwarding yes
Unfortunately, only a subset of keywords may be used on the lines following a Match keyword. Available keywords are:
AllowTcpForwarding Banner ChrootDirectory ForceCommand GatewayPorts GSSAPIAuthentication HostbasedAuthentication KbdInteractiveAuthentication KerberosAuthentication MaxAuthTries MaxSessions PasswordAuthentication PermitOpen PermitRootLogin RhostsRSAAuthentication RSAAuthentication X11DisplayOffset X11Forwarding X11UseLocalHost
Still, I found this extremely useful in, for instance, permitting root login only from the local network and to allow me to login with a password only from IP's i really trust. At other places I force myself to use a public key with a painfully long passphrase. Sadistic security rules.