SSH Filtering

The goal is to allow root to login with username/password from local IP-addresses. But only allow root to login with public key authentication from internet.

First change the following settings in /etc/ssh/sshd_config. this will allow normal users to login with username/password but root users must use public key authentication.

PasswordAuthentication yes
PermitRootLogin without-password

Second, add the following to the end of /etc/ssh/sshd_config. Its important that you are in the end of the file because how sshd_config is read by the daemon.

Match address
 PermitRootLogin yes