== Using different sshd options for different origin hosts

Suppose, hypothetically, that you have a need to both expose some
hosts to incoming SSH traffic from the Internet and to allow root
access (either direct or through automated means like authorized
key permissions) to them over SSH. However, you certainly don't
need both at once; you'll never be doing root access from the
Internet. Wouldn't it be nice if you could have some _sshd_ settings
that varied based on where the connection was coming from?

Well, you can. Modern versions of OpenSSH support a _Match_ directive
in ((/etc/ssh/sshd_config)) and this can be used to allow or disallow
a whole set of things based on the connection origin. In the case I
gave above you could do this with:

.pn prewrap on
>  PermitRootLogin no
>  Match 127.0.0.0/8,10.0.0.0/16
>      PermitRootLogin without-password

(The IP address ranges here are an example.)

_Match_ allows you to match connections based on various characteristics
of both the connection (eg origin IP address or hostname) and the local
target (eg the target local user and group). It can be used for a lot
more than denying root access, of course; you can turn off password
authentication, disallow access to specific local users, only allow
access to specific local users, and so on. There are a lot of tricks
that you can do here, so many that I'm going to leave them to your
imagination (and reading of all of the ((sshd_config)) manpage).

Of course there are limits on how much additional security this will
get you against a determined attacker who is specifically targeting
your users. At least around here, if we made it very hard to get in by
SSH from the outside Internet a targeted attacker would just switch to
compromising the user's VPN access and going from there with 'inside'
access. But at least we can configure sshd to absolutely rule out
certain sorts of brute force attacks against selected accounts.