Restrict root ssh from all but one IP/hostname
Solution 1:
In /etc/ssh/sshd_config
# Disable Root login
PermitRootLogin no
#
# [ . . . ]
#
# At the end of the file, add:
#
# Allow Root Login via Key from Admin Bastion
Match Address 10.9.8.7
PermitRootLogin without-password
Solution 2:
Why allow root ssh access at all? Murphy's law would have it that the time you'll need root access you'll be away from your approved IP address.
This is just my opinion but the better approach to this is to log in as a regular user and then su to root. To gain access to root someone would need both your user password and the root password. So you're regular user account would have to be in the admin or wheel group depending on what Linux distro you're running.
EDIT: For even more improved security only allow pre-shared key authentication for ssh connectivity. This can be a double edged sword though if you're not at a machine that has the necessary private key.
Solution 3:
I assume this is RHEL 5+, and that is which have this issue.. The same steps would work for RHEL 4. The trick to make this work on RHEL 5 is add account required pam_access.so
to /etc/pam.d/sshd at the 2nd or 3rd line. If you just append it at bottom it is not working.
Resulting /etc/pam.d/sshd would look like..
# cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account required pam_access.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Solution 4:
Strict root access can be necessary for taking backups and so on, but can be very dangerous thing to have. Luckily the direct root access can be secured quite a bit by using ssh keys and authorized_keys file.
First of all, allow the root login in sshd_config but allow it only to execute the predefined set of commands: put PermitRootLogin forced-commands-only to /etc/ssh/sshd_config or wherever your sshd config is stored. This disables password authentication for root, forces it to use ssh keys and even then only allows the commands you defined.
Then login to your client which needs to has this direct root access, and create there a new ssh key: ssh-keygen -t rsa. Make that key passwordless if needed by scripts.
Next, copy this newly created ssh key to your server with ssh-copy-id -i ~/.ssh/id_rsa.pub root@yourserver (if root login is still enabled), if not, just copypaste the contents ~/.ssh/id_rsa.pub to /root/.ssh/authorized_keys file.
Now, let's assume your client needs to run /root/bin/startup_skynet.sh as root via ssh. Your existing authorized_keys file looks something like this at this point:
ssh-rsa FASBFAFfasdföjasfABGVEAGUPEGDJfsadnö2314235dfbösadköjsdfösdklf==
Modify it to be
no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding,command="/root/bin/startup_skynet.sh" ssh-rsa FASBFAFfasdföjasfABGVEAGUPEGDJfsadnö2314235dfbösadköjsdfösdklf==
and save it.
Then try to execute from your client something like ssh root@myserver ls - this should fail. Then go on and execute ssh root@myserver /root/bin/startup_skynet.sh - now this should work.
This way direct root logins can be much more secure. As security is a layered thing and not something a single feature would provide, you can still do more. If you have a limited subset of users who need to connect, you might as well use AllowUsers parameter in sshd_config to allow connection from a predefined set of ip addresses, something like AllowUsers [email protected] [email protected] johndoe would allow root from 192.168.1.2 and 192.168.1.3 and johndoe from everywhere.