James Allsopp wrote: > Hi, > I need to have one computer I can ssh to other computers as root for > Ansible. To do this I've set up a strong certificate with a password, but > what I want is to only be able to log in as root from one IP using that > cert. All other users should only log in via a password and can do so from > any IP. > > Currently normal user logins are broken with this sshd_config. Can anyone > tell me where I'm going wrong? Sudo is not an option. > > [...] > #PermitRootLogin no
Change this to "without-password" to force key-based logins. (Yeah, I know this is in the global section but I'm not reading through the rest of your config). Alternately, if you don't want this as a global setting, an additional stanza along these lines will take care of it: match User root Address 192.0.2.10 PermitRootLogin without-password You shouldn't have to bother trying to create any rules for the other users, as without a "match" directive, they'll just use the global settings -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
