SSH Server Configuration

Although the configuration of an SSH server is beyond the scope of this documentation, there are some helpful hints below. If root login is not required then it should not be enabled.

Restrict SSH Server Access to Certain Users

Adding the line below to the /etc/sshd_config file on the SSH server will only allow the user(s) specified to login via SSH.

  #Allow Users
  AllowUsers admin root
Restrict SSH Server Access to Certain Users connecting from specified IP address

Adding the line below to the /etc/sshd_config file on the SSH server will only allow the user(s) specified to login via SSH. In addition, the root user will only be able to connect from a machine with an IP address of 192.168.1.2

  #Allow Users
  AllowUsers admin root@192.168.1.2

An other possibility is to add the following into the /etc/pam.d/sshd file if you wish to restrict root logins only from a specific IP address, in this case 192.168.1.2. If you use this approach you should test that after a restart of the system every thing is working as expected. Finally, keep in mind that managing this with PAM is potentially another complexity you are adding to your system.

+:root:192.168.12
-:root:ALL



Disable Password Login

Adding the line below to the /etc/sshd_config file on the SSH server will disable password authentication.

   #Disable Password Authentication
   PasswordAuthentication no
Disable Root Password Login

Adding the line below to the /etc/sshd_config file on the SSH server will allow root logins provided authentication is not performed with a password. You should be carful with this option and carefully test the expected behavior. There are a number of potential options which have potential to conflict with this directive.

   #Disable Root Login
   #PermitRootLogin yes # (optional)
   PermitRootLogin without-password



More Tips