AllowGroups and root@IP
I've got several servers with the following sshd configuration.
# Authentication:
PermitRootLogin no
AllowGroups ssh
PubkeyAuthentication yes
PasswordAuthentication no
This means every user in group "ssh" can login but only with pubkey. The login of root is not allowed.
But there must be an exception for root: my backup server with $ip must login as root.
I tried:
AllowUsers root@$ip
AllowGroups ssh
But AllowUsers overwrites the AllowGroups statement. So only root from $ip can login in.
Match User root, Address $ip
PermitRootLogin {yes|without-password}
AllowUsers root
and
Match Address $ip
PermitRootLogin {yes|without-password}
AllowUsers *
Both are completely ignored. Still normal users in group "ssh" can login only.
It's a simply scenario with user login restricted to pubkey and root login restricted to pubkey and certain ip. How to solve?
Answer
You haven't posted your entire sshd_config, so it's a little hard to reproduce the situation, but this seems to work:
# Main config prohibits all logins
PermitRootLogin no
AllowUsers root
# Permit root logins from a specific address
Match Address 192.168.1.20
PermitRootLogin yes
# Allow logins to anyone in "ssh" group.
Match Group ssh
AllowUsers *
Another solution is:
Have the following in your
sshd_config:AllowGroups ssh PermitRootLogin without-passwordMake
roota member of thesshgroup.usermod -a -G ssh rootAdd a public key to
/root/.ssh/authorized_keyswith a restricted source address, like this:from=192.168.1.20 ssh-rsa ...
This will get you what you want:
- Only members of the
sshgroup can log in. rootcan only log in from the specific ip address in theauthorized_keysfile.