Linux: Allow SSH Root Login From Specific IP

Objective: Allow ssh root logins from a single IP address and disable root logins from other IP addresses.

To enable root logins via ssh, PermitRootLogin keyword has to be set to yes in the /etc/ssh/sshd_config (OpenSSH daemon configuration) file. To disable root logins, PermitRootLogin has to be set to no instead.

To allow only certain hosts or IP addresses to ssh as the root user, the Match keyword can be used. To allow ssh root logins from foo.example.com, use the following configuration.

Remember to append the Match rules at the end of the sshd_config file. You will need to restart the sshd daemon for the changes to take effect.

If you need to permit root logins from a few IP blocks, you can use the following syntax.

The above configuration will allow root logins from 192.168.10.10, 192.168.1.0/24 and 10.254.0.0/16.

If you want to permit a particular user to ssh from a certain IP address, you can use the following syntax.

The above Match rule will allow user ibrahim to use password authentication from the network 192.168.10.0/24. From other networks, the user will need to use public key authentication method.

Only a subset of keywords can be used with a Match block. Some of them are: AllowTcpForwarding, AuthenticationMethods, Banner, ChrootDirectory, PermitRootLogin, X11Forwarding. For the full list of keywords, refer to the sshd_config man page.

Ibrahim is a technology enthusiast with a keen interest in *NIX (Unix, Linux) systems, Android, open source and other tech related stuff. When his cpu load is low, you can probably find him online playing on his Xbox or PlayStation.