How to allow ssh to root user only from the local network?
I've installed Google-Authenticator on a CentOS 6.5 machine and configured certain users to provide OTP.
While editing /etc/ssh/sshd_config I saw a directive "PermitRootLogin" which is commented out by default.
I would like to set "PermitRootLogin no" but to still be able to ssh to the machine as root only from the local network.
Is that possible?
Use the Match config parameter in /etc/ssh/sshd_config:
# general config
PermitRootLogin no
# the following overrides the general config when conditions are met.
Match Address 192.168.0.*
PermitRootLogin yes
See man sshd_config
The Match address method was already mentioned, but you can also restrict the users (or groups) that are allowed to login onto a system. For instance, to limit logins to the user itai (from anywhere) and root (from a specific network), use:
AllowUsers itai [email protected].*
This prevents all other users (like apache) from logging in through SSH.
See also the AllowUsers keyword in the sshd_config(5) manual.
A different strategy could be to leave PermitRootLogin set to no for all addresses, but allow a different user to log in and use sudo. One benefit of doing this is that you can limit what that user with sudo configuration. This is an added layer of protection, in addition to limiting what IP addresses the admin user can log in from.
In /etc/ssh/sshd_config, disable root logins:
PermitRootLogin no
Create a different user called, say, admin. Configure the allowed IP addresses in this user's authorized keys file, /home/admin/.ssh/authorized_keys:
from="192.168.0.0/24,fe80::%eth0/64" <your public key here>
In this example, I also allowed traffic from IPv6 link-local addresses. This is helpful if you use mDNS that may resolve to an IPv6 address or if you need to access the server even when routing is broken. Note that the eth0 part of the address will change based on the interface name on your server. Use ifconfig or ip link to list valid network devices for your server.