# How to allow direct root access via SSH on certain IP range?



## mrjayviper (Aug 17, 2015)

1. I would like to login to root via ssh directly while at home (192.168.1.0/24).

2. But while outside (e.g. at work), I can still login via ssh by using one of the custom accounts I created.

I just tried:


```
Match Address 192.168.1.0/24
            PermitRootLogin yes
```

and now I'm completely locked out of the box. I can't login while at work and from home as well (I sshed into my other FreeBSD box).

Any ideas on how this can be done? Thank you


----------



## kpa (Aug 17, 2015)

Get in the habit of doing `# sshd -t` before reloading the configuration or restarting the daemon. sshd(8) restarted via /etc/rc.d/sshd isn't too chatty when there's an error in the configuration and you might think there's no error when in reality you have no sshd(8) running anymore. What you posted is basically how it's done but there might be some other errors in your configuration that are not shown.


----------



## mrjayviper (Aug 17, 2015)

kpa said:


> Get in the habit of doing `# sshd -t` before reloading the configuration or restarting the daemon. sshd(8) restarted via /etc/rc.d/sshd isn't too chatty when there's an error in the configuration and you might think there's no error when in reality you have no sshd(8) running anymore. What you posted is basically how it's done but there might be some other errors in your configuration that are not shown.



That's the only changed I made though. Surprised it broke if that is correct. I'll try your suggestion once I get home. Thanks!


----------



## kpa (Aug 17, 2015)

Make sure you place your Match block(s) at the end of sshd_config(5).


----------



## mrjayviper (Aug 17, 2015)

kpa said:


> Make sure you place your Match block(s) at the end of sshd_config(5).


Definitely at the end. Maybe Match/PermitRootLogin needs to be 1 line?


----------



## kpa (Aug 17, 2015)

This is what I have on my OpenBSD system (addresses censored):


```
Match Address 10.x.y.0/24,2001:mmmm:nnnn:8321::/64,127.0.0.1,::1
  PasswordAuthentication yes
  X11Forwarding yes
#  PermitRootLogin yes
```

I have PermitRootLogin disabled but I could enable it by just uncommenting the line and reloading configuration.


----------



## quintessence (Aug 17, 2015)

Hello,

You need only


```
PermitRootLogin yes
AllowUsers root@192.168.1.0/24
```

in your sshd_config.

Those lines will allow root login from 192.168.1. network, and will deny root login from any other networks.

Edit: And you should match any other users with AllowGroups or more elegant would be:


```
Match host "192.168.1.*"
PermitRootLogin yes
```

which will allow root login only from 192.168.1. , but will not restrict any-other-user login from everywhere.


----------

