2

I've got several servers with the following sshd configuration.

# Authentication:
PermitRootLogin no
AllowGroups ssh
PubkeyAuthentication yes
PasswordAuthentication no

This means every user in group "ssh" can login but only with pubkey. The login of root is not allowed.

But there must be an exception for root: my backup server with $ip must login as root.

I tried:

AllowUsers root@$ip
AllowGroups ssh

But AllowUsers overwrites the AllowGroups statement. So only root from $ip can login in.

Match User root, Address $ip
    PermitRootLogin {yes|without-password}
    AllowUsers root

and

Match Address $ip
    PermitRootLogin {yes|without-password}
    AllowUsers *

Both are completely ignored. Still normal users in group "ssh" can login only.

It's a simply scenario with user login restricted to pubkey and root login restricted to pubkey and certain ip. How to solve?

4

1 回答 1

5

你还没有发布你的整个sshd_config,所以重现这种情况有点困难,但这似乎有效:

# Main config prohibits all logins
PermitRootLogin no
AllowUsers root

# Permit root logins from a specific address
Match Address 192.168.1.20
  PermitRootLogin yes

# Allow logins to anyone in "ssh" group.
Match Group ssh
  AllowUsers *

另一种解决方案是:

  • 在您的sshd_config:

    AllowGroups ssh
PermitRootLogin without-password

  • 成为rootssh组的成员。

    usermod -a -G ssh root

  • /root/.ssh/authorized_keys添加一个带有受限源地址的公钥,如下所示:

    from=192.168.1.20 ssh-rsa ...

这会给你你想要的:

  • 只有ssh群组成员才能登录。
  • root只能从 authorized_keys文件中的特定ip地址登录。
于 2014-02-09T14:10:37.923 回答