The syntax is pretty simple:
Match condition Override config option 1 Override config option 2
You can use the following as condition:
- User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
- Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
- Host – Specifies the host to match
- LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
- LocalPort – Same as above.
- Address – Specifies the IP address or IP/subnet to match in CIDR format.
Example: Allow root login from from 192.168.2.5 with ssh-key but disallow everyone else
Append the following in your /etc/ssh/sshd_config:
$ sudo vi /etc/ssh/sshd_config
## Block root login to every one ## PermitRootLogin no ## No more password login ## PermitEmptyPasswords no PasswordAuthentication no ## Okay allow root login with public ssh key for 192.168.2.5 ## Match Address 192.168.2.5 PermitRootLogin yes
$ sudo systemctl reload sshd
You can setup multiple IP address/CIDR as follows:
PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no Match Address 192.168.184.8,126.96.36.199,192.168.1.0/24 PermitRootLogin yes
Source : https://www.cyberciti.biz/faq/match-address-sshd_config-allow-root-loginfrom-one_ip_address-on-linux-unix/