Sometimes you need to allow root ssh access. But this is not a great idea; I disallow root ssh on all my systems, instead finding alternative (often much more difficult) solutions such as running two or more ssh daemons and their config files and control access to them with iptables. Convoluted.
Recently I found out how you can use the Match statement to selectively allow root ssh (and even limit it to PubkeyAuthentication only). It is rather simple and reading the sshd_config man page explains more. Below is a self explaining example. The without-password actually means PubkeyAuthentication only and password auth is disabled. It does look a bit scary if you didn't know that. I did find that only having the Address 127.0.0.1 didn't allow root ssh access to localhost.
Match Address 127.0.0.1,23.4.76.129,8.8.8.8
PermitRootLogin without-password
Match Host localhost
PermitRootLogin without-password
Sometimes you need to allow root ssh access. But this is not a great idea; I disallow root ssh on all my systems, instead finding alternative (often much more difficult) solutions such as running two or more ssh daemons and their config files and control access to them with iptables. Convoluted.
Recently I found out how you can use the Match statement to selectively allow root ssh (and even limit it to PubkeyAuthentication only). It is rather simple and reading the sshd_config man page explains more. Below is a self explaining example. The without-password actually means PubkeyAuthentication only and password auth is disabled. It does look a bit scary if you didn't know that. I did find that only having the Address 127.0.0.1 didn't allow root ssh access to localhost.
Match Address 127.0.0.1,23.4.76.129,8.8.8.8
PermitRootLogin without-password
Match Host localhost
PermitRootLogin without-password