Bug 2379

Summary: [RFE] sshd Match based on my IP address
Product: Portable OpenSSH Reporter: Pat Riehecky <riehecky>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 6.8p1   
Hardware: All   
OS: Linux   

Description Pat Riehecky 2015-04-14 01:19:46 AEST
Description of problem:
I would like to further extend the Match directive to include my ServerIP.

I have a system with several IP addresses on several networks, many of which are not easily captured by the 'from Host/IP' settings.  The systems have an IP address they pass back and forth for HA reasons.

For example:

myhost.example.com has 4 interfaces, A is 203.0.113.100/2001:db8::a3, B is 10.2.6.8, C is 172.16.12.24, D is 198.51.100.100

I wish to set a firm rule that, no matter the origin, any connection to A must use Public Key auth - and not password auth.  Similarly I've specific connection requirements on all connections on B, C, and D which themselves differ from each other (say: B allows TCP forwarding, C only permits some users, D permits root login).  With both A and D having public IP addresses, I cannot distinguish between clients based only on their origin information.


Expected results:

Something like:
Match ServerAddress 203.0.113.100
  PasswordAuthentication no
Comment 1 Damien Miller 2015-04-14 13:51:08 AEST
Does "Match LocalAddress" not already do what you want? I.e.

Match LocalAddress 203.0.113.100
  PasswordAuthentication no
Comment 2 Pat Riehecky 2015-04-14 23:44:29 AEST
Somehow my search of the docs missed that option.

Match LocalAddress is exactly what I was looking for.
Comment 3 Damien Miller 2016-08-02 10:42:49 AEST
Close all resolved bugs after 7.3p1 release