Bug 1180 (match)

Summary:

Add finer-grained controls to sshd_config

Product:

Portable OpenSSH

Reporter:

Darren Tucker <dtucker>

Component:

sshd

Assignee:

Darren Tucker <dtucker>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

openssh-bugs, reskusic

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

1222, 1274

Attachments:

Description	Flags
Add "Match" keyword to sshd_config	none
Updated Match patch, against portable current.	none
Add support for pre-authentication options to OpenSSH 4.4.	none
Example of how to add further options to Match,	none
Add support for auth types to Match	none

Description Darren Tucker 2006-04-08 12:53:34 AEST

sshd's controls (eg PasswordAuthentication and so forth) are quite coarse.  It would be nice if there were finer-grained controls.

Comment 1 Darren Tucker 2006-04-08 13:04:49 AEST

Created attachment 1118 [details]
Add "Match" keyword to sshd_config

This patch (against 4.3p2) extends sshd_config to support syntax such as:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
        AllowTcpForwarding yes
        GatewayPorts no

Match User bar,baz
        AllowTcpForwarding yes

Match Host t*
        AllowTcpForwarding yes

The criteria currently supported by Match are "User [user pattern-list]", "Group [group pattern]", "Address [address pattern-list]" and "Host [host pattern-list]".  Multiple criteria may be specified on a single Match line, if so all criteria must match before the Match block takes effect (ie it is a logical AND).

The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2, Banner, ChallengeResponseAuthentication, ChallengeResponseAuthentication, ClientAliveCountMax, ClientAliveInterval, GatewayPorts, GssAuthentication, GssCleanupCreds, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, IgnoreUserKnownHosts, KbdInteractiveAuthentication, KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd, KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime, MaxAuthTries, PasswordAuthentication, PermitEmptyPasswd, PermitRootLogin, PermitTunnel, PermitUserEnvironment, PrintLastLog, PrintMotd, PubkeyAuthentication, PubkeyAuthentication, RSAAuthentication, RhostsRSAAuthentication, StrictModes, UseLogin, UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost, XAuthLocation.  Only a (small) subset of these have been tested.

Comment 2 Darren Tucker 2006-05-01 16:12:33 AEST

Created attachment 1127 [details]
Updated Match patch, against portable current.

Added support for comma-separated group lists ("Match Group foo,bar"). Fixed leaks that occured when the ServerOption block was copied to the privsep slave.

Comment 3 Darren Tucker 2006-07-12 22:49:26 AEST

The first part of Match has been committed (just a couple of directives so far) and so it will be in v4.4.

Comment 4 Darren Tucker 2006-09-21 15:43:26 AEST

Created attachment 1184 [details]
Add support for pre-authentication options to OpenSSH 4.4.

Adds Match support for PasswordAuthentication and Banner.

Comment 5 Darren Tucker 2006-09-21 15:44:56 AEST

Created attachment 1185 [details]
Example of how to add further options to Match,

Requires OpenSSH 4.4 and patch #1184.

Comment 6 Darren Tucker 2006-10-07 12:26:05 AEST

*** Bug 22 has been marked as a duplicate of this bug. ***

Comment 7 Darren Tucker 2007-02-19 22:41:25 AEDT

Created attachment 1240 [details]
Add support for auth types to Match

This patch (against 4.5p1) allows a Match directive to control different authentication types.  This patch was just committed and will be in 4.6 but I have been asked for it several times so did the (trivial) backport to 4.5p1 and am posting it here.

Comment 8 Darren Tucker 2007-03-01 23:12:03 AEDT

The authentications are now supported.  I'll add the other options that make sense to support as time permits.

Comment 9 Damien Miller 2008-04-04 09:55:26 AEDT

Close resolved bugs after release.