ssh: how to permit root login only from local network / ip

From version 4.3p2, sshd supports an interesting option called Match. At the time of writing, this is the version supplied with Debian Etch (stable).

This patch extends sshd_config to support syntax such as:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
    AllowTcpForwarding yes
    GatewayPorts no

Match User bar,baz
    AllowTcpForwarding yes

Match Host t*
    AllowTcpForwarding yes

Unfortunately, only a subset of keywords may be used on the lines following a Match keyword. Available keywords are:

AllowTcpForwarding
Banner
ChrootDirectory
ForceCommand
GatewayPorts
GSSAPIAuthentication
HostbasedAuthentication
KbdInteractiveAuthentication
KerberosAuthentication
MaxAuthTries
MaxSessions
PasswordAuthentication
PermitOpen
PermitRootLogin
RhostsRSAAuthentication
RSAAuthentication
X11DisplayOffset
X11Forwarding
X11UseLocalHost

Still, I found this extremely useful in, for instance, permitting root login only from the local network and to allow me to login with a password only from IP’s i really trust. At other places I force myself to use a public key with a painfully long passphrase. Sadistic security rules.

Leave a Reply

Your email address will not be published.