Syntax
The syntax is pretty simple:
Match condition Override config option 1 Override config option 2
You can use the following as condition:
- User – Specifies the user to match. For example, if user is root allow login with ssh-keys but disallow everyone else.
- Group – Specifies the group to match. For example, If user in group admin, allow login but disallow everyone else.
- Host – Specifies the host to match
- LocalAddress – Specifies and match the the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
- LocalPort – Same as above.
- Address – Specifies the IP address or IP/subnet to match in CIDR format.
Example: Allow root login from from 192.168.2.5 with ssh-key but disallow everyone else
Append the following in your /etc/ssh/sshd_config:
$ sudo vi /etc/ssh/sshd_config
## Block root login to every one ##
PermitRootLogin no
## No more password login ##
PermitEmptyPasswords no
PasswordAuthentication no
## Okay allow root login with public ssh key for 192.168.2.5 ##
Match Address 192.168.2.5
PermitRootLogin yes
|
$ sudo systemctl reload sshd
You can setup multiple IP address/CIDR as follows:
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
Match Address 192.168.184.8,202.54.1.1,192.168.1.0/24
PermitRootLogin yes
|
Source : https://www.cyberciti.biz/faq/match-address-sshd_config-allow-root-loginfrom-one_ip_address-on-linux-unix/