on ssh

this combo allows only 1 ip to root access with key…

in authorized_keys
from=”123.234.345.567” ssh-rsa AAAAmypubkeyverylong== [email protected]

in sshd_config
PermitRootLogin without-password

this allows sftp only..no shell access for root. we can jolly combine this with
PermitRootLogin without-password
for scripted file transfers and the like.

[email protected]:~$ ssh [email protected]
Enter passphrase for key ‘/home/lz/.ssh/id_rsa’:
[email protected]’s password:
This service allows sftp connections only.
Connection to 234.345.456.567 closed.

in sshd_config

Match User root
ForceCommand internal-sftp