An often underused feature of OpenSSH is the Match statement. Match statements work on OpenSSH 4.4+; applicable versions ship with RHEL/CentOS 6+ and Ubuntu 12.04+. The Match directive accepts the following options:
Match User
Match Group
Match Host
Match LocalAddress
Match LocalPort
Match Address
Match statements can be used to help harden SSH but can easily become complicated when options like AllowUsers or AllowGroups are in use as Match does not accept these parameters. If your goal is to allow root to login from certain IPs, then you can disable root via the PermitRootLogin option and add root with either AllowsUsers or AllowGroups options (PermitRootLogin supersedes the other options regardless of position). After that you can explicitly allow root login from a Match block:
Match Address 127.0.0.1,192.168.0.12
PermitRootLogin yes
PasswordAuthentication yes
NOTE: Match blocks do not end until they reach the end of the file or hit another Match block.
------Share this post:
