Having SSH access to the root account can be catastrophic if someone ever does succeed in breaking into your machine. While the majority of sysadmins turn into rabid wolves upon mention that your machine allows root access, at times it may be necessary.
This should work on any UNIX-based operating system running OpenSSH 4.3p or later. You may determine the version of OpenSSH by using
On Linux, edit
/etc/ssh/sshd_config. On Macs, edit
/etc/sshd_config. Locate the line that defines
PermitRootLogin, uncomment if it is commented out, and change its value to
On a separate line, add the following:
Match Address 192.168.2.*,127.0.0.1 PermitRootLogin yes
This will allow root to login exclusively from your LAN, while denying all attempts from outside.
Tips: Extra security features to go along with this would be:
- Denying usage of 'sudo su'
- Disabling passwordless, guest, or otherwise anauthorized users from using 'su'
- Using the above Match Address syntax to only allow root to login using a publickey, not passwords