# Root SSH Exception for Admin Servers **Standard policy:** `PermitRootLogin no` + `AllowUsers ippadmin` on all servers. **Exception granted for:** app1, app2, app3 (netcup RS 4000 G12 admin/infrastructure servers). **Rationale:** Automated provisioning and deployment by Sho'Nuff requires root-level access without sudo password workarounds. These servers run infrastructure services (AI stack, networking management, WordPress platform) that need frequent configuration changes. **Restrictions:** - Root access is **key-only** — no password authentication - Only the `itpp-infra` SSH key is authorized - `/root/.ssh/authorized_keys` contains the same key as ippadmin's - `AllowUsers ippadmin root` — both users explicitly allowed - `PasswordAuthentication no` still enforced - `PermitRootLogin prohibit-password` (key only, no password) **Setup commands (from Core):** ```bash ssh -i /root/.ssh/itpp-infra ippadmin@ # Deploy root's authorized_keys sudo mkdir -p /root/.ssh sudo cp /home/ippadmin/.ssh/authorized_keys /root/.ssh/ sudo chmod 700 /root/.ssh sudo chmod 600 /root/.ssh/authorized_keys # Update sshd_config sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config sudo sed -i 's/^AllowUsers.*/AllowUsers ippadmin root/' /etc/ssh/sshd_config sudo systemctl restart sshd ``` **Verification:** ```bash ssh -i /root/.ssh/itpp-infra root@ "hostname" ``` **Pitfall:** If ippadmin was created with `--disabled-password`, `su` and `sudo -S` will fail because there's no password. This blocks automated provisioning via ippadmin. Solution: set up root SSH BEFORE closing the initial root session during provisioning, or use the netcup console.