Re: SSH root login from one ip via certificate only, all other logins password only.
- Date: Wed, 29 Aug 2018 13:05:08 -0000 (UTC)
- From: Dan Purgert <dan@xxxxxxxx>
- Subject: Re: SSH root login from one ip via certificate only, all other logins password only.
James Allsopp wrote:
> I need to have one computer I can ssh to other computers as root for
> Ansible. To do this I've set up a strong certificate with a password, but
> what I want is to only be able to log in as root from one IP using that
> cert. All other users should only log in via a password and can do so from
> any IP.
> Currently normal user logins are broken with this sshd_config. Can anyone
> tell me where I'm going wrong? Sudo is not an option.
> #PermitRootLogin no
Change this to "without-password" to force key-based logins. (Yeah, I
know this is in the global section but I'm not reading through the rest
of your config).
Alternately, if you don't want this as a global setting, an additional
stanza along these lines will take care of it:
match User root Address 192.0.2.10
You shouldn't have to bother trying to create any rules for the other
users, as without a "match" directive, they'll just use the global
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281