sshd_config question.

Darren Tucker dtucker at
Mon Nov 27 12:06:54 EST 2006

Peter Stuge wrote:
> On Thu, Nov 09, 2006 at 12:22:33AM -0500, doug at wrote:
>> I want to allow a single host root access via ssh. If the order of
>> processing DenyUsers, AllowUsers were reversed this cold be done in
>> a straight forward manner.
>> My question, is would adding an Apache-like derective Order
>> Deny,Allow violate any standards or be a security problem?
> Couldn't you use the Match keyword (new in 4.4 IIRC) to do this in an
> even more straight forward manner? :)

You can't (yet), because PermitRootLogin isn't supported by Match (yet).

Anyway, Match is an attempt to solve "how do I make sshd do X on a per-Y 
basis?" for most values of X and Y) and the order is significant (unlike 
AllowUsers and friends, where the order is hardcoded).  So once it's 
supported this would simply be:

PermitRootLogin no
Match Host
	PermitRootLogin yes

Now if only the slacker responsible would finish the job (oh, wait, 
that's me :-).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list