# ssh: permit only internal root login

## idoneus

In order to make my network a little more secure, I am trying to make sure noone can login as root using ssh from the internet.

However I do think that I can not just simply set the permitrootlogin variable to no, since that would not allow me to access the server at all as a root user using ssh, which is the only way possible, since no screen or keyboard is attached.

So is there a way to permit intranet ssh root logins, while dissallowing internet ssh root logins?

The configuration is set up, so that internet access is availiable on eth0 while intranet access is availiable on eth1.

----------

## CheshireCat

I don't know of any configuration option which can do this, unless perhaps you were to use PAM logins and had a PAM module which could check the interface the connection comes from.  I suppose that if you could start them from different config files, you could have two sshd running, one bound to each address, with different settings.  You could also disable root login entirely and use su when you need root access.

----------

## b_Q

Hi

I suspect this would do it if PermitRootLogin yes

From man sshd_config

...

AllowUsers

This keyword can be followed by a list of user name patterns,

separated by spaces.  If specified, login is allowed only for

user names that match one of the patterns.  `*' and `'?  can be

used as wildcards in the patterns.  Only user names are valid; a

numerical user ID is not recognized.  By default, login is

allowed for all users.  If the pattern takes the form USER@HOST

then USER and HOST are separately checked, restricting logins to

particular users from particular hosts.

---

However I use AllowUsers to restrict ssh login 

to me only and have PermitRootLogin to no anyway.

AllowUsers me@my-host1 me@my-host2

i.e

only me@my-host1 and me@my-host2 may login through ssh

all others are denied.

(ssh -v ... for feedback more v's for +more feedback)

----------

## idoneus

thanks to both of you.

I think the idea b_Q proposed should work in my case.

thanks again.  :Razz: 

----------

## ARC2300

Just to let you know (as I'm not sure if you did), even if PermitRootLogin is set to no, you can always "su" to root once you do login.  

And just out of curiousity, but why would you need to login as root anyways??

----------

## idoneus

Well I had not realized that I could still su, but I figured it out, due to the above posts before.

The reason I have to login as root over ssh, is that I have no screen or keyboard attached to my server, so all configuration is done using alternate computers, my laptop mostly.

----------

## BlinkEye

 *ARC2300 wrote:*   

> Just to let you know (as I'm not sure if you did), even if PermitRootLogin is set to no, you can always "su" to root once you do login.  

 

provided the user you login is a member of the wheel group

----------

