Allow root login from one IP address only

Question

I have centos5.

Is there any way that i can log into my vps server with root user from particular ip address only.

I have read that i can use private key to login into sshd. But the problem is i am using SFTP for all my webistes and i don't want non IT users to use keys to login with SFTP.

OR is there any way that only root can use keys to login into shell but for others its normal password

score 17 · Answer 1 · answered Jul 31 '15 at 05:33

17

A better way now is to use the Match keyword:

Match Host myworkstation
        PermitRootLogin yes

or

Match Address 192.168.1.100
        PermitRootLogin yes

That way, you can leave PermitRootLogin set to 'no', but you can still log in as root from your workstation.

This can also be used, for example, to allow root to rsync data between two hosts.

answered Jul 31 '15 at 05:33

dannyw

333
3
5

your rsync example is exactly the use-case for which I googled this question. Thank you! ;) – Jan Jun 01 '17 at 13:57
Be aware that this only works using the reverse DNS of the source IP address. (at least for me it was the only way) – mveroone Jul 18 '18 at 10:37

score 9 · Answer 2 · answered Oct 11 '10 at 07:31

9

It is generally a better practice to log in as a non-privileged user first then use 'su -' or 'sudo' to gain root privileges, but...

You could always put the IP restriction on your key in ~root/.ssh/authorized_keys:

from="192.168.1.100" ssh-rsa AAAAh9uif...auwehuf== yourkey@yourhost.com

This would allow ssh using the yourkey@yourhost.com key only from 192.168.1.100.

answered Oct 11 '10 at 07:31

Cakemox

24,141
6
41
67

Agreed, although that is more complicated to do for things like sftp, rsync, sshfs... – mveroone Jul 18 '18 at 10:38

rubiojr · Answer 3 · 2010-10-16T10:44:42.720

3

Use:

PermitRootLogin without-password

In /etc/ssh/sshd_config. Every user excluding root will be allowed to use password logins. Root needs to use keys to login.

edited Oct 16 '10 at 10:44

answered Oct 16 '10 at 01:09

rubiojr

234
1
3

Will this slution work?? did u tried this – Oct 17 '10 at 02:13
I use that setting in every server I maintain. It prevents root bruteforce/dict attacks. http://unixhelp.ed.ac.uk/CGI/man-cgi?sshd_config+5 – rubiojr Oct 17 '10 at 22:12
This seems to break `git pull` though: /etc/ssh/ssh_config: line 68: Bad configuration option: permitrootlogin – geoidesic Jul 16 '17 at 07:11
Also PermitRootLogin does not appear in `man ssh_config` – geoidesic Jul 16 '17 at 07:32
Also easily overridden with `ssh -o PreferredAuthentications=password` – geoidesic Apr 30 '18 at 20:33

score 2 · Answer 4 · answered Oct 11 '10 at 00:34

2

Edit sshd_config (usually in /etc/ssh), and add or change the following directives

  PermitRootLogin yes
  AllowUsers root@thehosttoallow

Then restart the daemon

  service ssh restart

answered Oct 11 '10 at 00:34

Déjà vu

5,408
9
32
52

I believe that, if the OP wanted to use `AllowUsers`, he would need to specify all users he want to have access. Your example would only allow root to authenticate via ssh. – EEAA Oct 11 '10 at 00:40
1

Yes, this is on purpose. To allow any user, `*@thehosttoallow` indeed let any user in. – Déjà vu Oct 11 '10 at 00:43
Also easily overridden with `ssh -o PreferredAuthentications=password` – geoidesic Apr 30 '18 at 20:36

score 0 · Answer 5 · answered Oct 11 '10 at 00:21

0

First, why would you want to prevent users from using key auth? That makes no sense to me.

Second, don't allow root login via ssh. Just don't do it - there's no good reason for needing to do so. It goes against every best practice out there, and for good reason. If you need to grant permissions to read/write certain files, you should be able to do so through the standard linux filesystem permissions. If you need more fine-grained access control, look into the linux ACL system.

answered Oct 11 '10 at 00:21

EEAA

108,414
18
172
242

what if i disable root login and neither of any user has access to some main config file. Then i am locked as i can't login via root – Oct 11 '10 at 00:33
1

When you disable root login via ssh, root will still be able to sign in via the console. Also, you always have the option of granting a normal user root-esque permissions via sudo. This won't work for sftp, but as a failback in case you need to fix things, it would work fine and is the preferred way of granting permissions. – EEAA Oct 11 '10 at 00:36
1

@ErikA Allowing `root` from a *unique* host is not unsafe. There was a trend against the `root` access via `telnet` a few years back (besore `ssh` was common), but allowing `root` via `ssh` to *only* one host doesn't look that unsafe. – Déjà vu Oct 11 '10 at 00:41
Sure, it may perhaps be "safe", but I'll still argue that it's a poor idea. I say this mainly due to the fact that, when people are given an easy way to get root access, they will use it, rather than using a safer, more proper way to gain access (sudo). – EEAA Oct 11 '10 at 01:17
2

Considering the author question, one can assume he wants to perform administrative tasks through the `root` user. Allowing direct `root` access from only one host in this case is a reasonable alternative. – Déjà vu Oct 11 '10 at 04:00
Which console r u talking about. What if i don't have access to console and i locked myself out. It happened with me my root was disables and my server restarted and i can't even use sudo and it said i was not on the sudoer list. – Oct 11 '10 at 04:00
As for 'why' - how about if you have an internet facing system which provides SFTP, but you only want allow actual logons to come from the internal network? – Ralph Bolton Nov 17 '17 at 11:27
I don't know if it is safe. So far I've been able to override it with this `ssh -o PreferredAuthentications=password`, unless somehow I'm implementing it wrong. – geoidesic Apr 30 '18 at 20:37

Allow root login from one IP address only

5 Answers5

Linked