Web lists-archives.com

Re: SSH root login from one ip via certificate only, all other logins password only.




James Allsopp wrote:
> Hi,
> I need to have one computer I can ssh to other computers as root for
> Ansible. To do this I've set up a strong certificate with a password, but
> what I want is to only be able to log in as root from one IP using that
> cert. All other users should only log in via a password and can do so from
> any IP.
>
> Currently normal user logins are broken with this sshd_config. Can anyone
> tell me where I'm going wrong? Sudo is not an option.
>
> [...]
> #PermitRootLogin no

Change this to "without-password" to force key-based logins.  (Yeah, I
know this is in the global section but I'm not reading through the rest
of your config).

Alternately, if you don't want this as a global setting, an additional
stanza along these lines will take care of it:

match User root Address 192.0.2.10
  PermitRootLogin without-password

You shouldn't have to bother trying to create any rules for the  other
users, as without a "match" directive, they'll just use the global
settings


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281