How to restrict SSH root login, but allow some exceptions
Given that logging in as root is not a good idea, have a look at sshd manpage:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``yes''.
If this option is set to ``without-password'' password authenti- cation is disabled for root.
If this option is set to ``forced-commands-only'' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to ``no'' root is not allowed to log in.
So you could use PermitRootLogin without-password
for allowing private/public key authentication while disallowing password authentication; or maybe PermitRootLogin forced-commands-only
to let you login as root but without interactive access.
The latter case requires you to edit authorized_keys
file, to specify which command is enabled for the logging is user, like this:
command="rdiff-backup --server" ssh-rsa AAAAB3NzaC1y... (rest of key)
or even better, allow forced-commands-only root login only from specific ip address:
from="10.1.1.1",command="/home/user/command/to/execute" ssh-rsa AAAAB3NzaC1y... (rest of key)
Vladimir Franciz S. Blando
Updated on September 18, 2022Comments
-
Vladimir Franciz S. Blando over 1 year
in openssh, you can restrict root login (PermitRootLogin no) but can it have an exception?
-
Wayne Jhukie almost 12 yearsBut that would mean that root login was permitted ... why not login as a user and then su / sudo?
-
Dennis almost 12 yearsI'm sorry, but what exception? Either you permit root login or you don't.
-