1180 – (match) Add finer-grained controls to sshd_config

Bug 1180 (match) - Add finer-grained controls to sshd_config

Summary: Add finer-grained controls to sshd_config

Status:	CLOSED FIXED

Alias:	match

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 enhancement
Assignee:	Darren Tucker

URL:
Keywords:

Duplicates (1):	22 (view as bug list)
Depends on:
Blocks:	V_4_5 V_4_6
	Show dependency tree / graph

Reported:	2006-04-08 12:53 AEST by Darren Tucker
Modified:	2008-04-04 09:55 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add "Match" keyword to sshd_config (32.71 KB, patch) 2006-04-08 13:04 AEST, Darren Tucker	no flags	Details \| Diff
Updated Match patch, against portable current. (35.04 KB, patch) 2006-05-01 16:12 AEST, Darren Tucker	no flags	Details \| Diff
Add support for pre-authentication options to OpenSSH 4.4. (5.33 KB, patch) 2006-09-21 15:43 AEST, Darren Tucker	no flags	Details \| Diff
Example of how to add further options to Match, (887 bytes, patch) 2006-09-21 15:44 AEST, Darren Tucker	no flags	Details \| Diff
Add support for auth types to Match (10.08 KB, patch) 2007-02-19 22:41 AEDT, Darren Tucker	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Darren Tucker 2006-04-08 12:53:34 AEST

sshd's controls (eg PasswordAuthentication and so forth) are quite coarse.  It would be nice if there were finer-grained controls.

Comment 1 Darren Tucker 2006-04-08 13:04:49 AEST

Created attachment 1118 [details]
Add "Match" keyword to sshd_config

This patch (against 4.3p2) extends sshd_config to support syntax such as:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
        AllowTcpForwarding yes
        GatewayPorts no

Match User bar,baz
        AllowTcpForwarding yes

Match Host t*
        AllowTcpForwarding yes

The criteria currently supported by Match are "User [user pattern-list]", "Group [group pattern]", "Address [address pattern-list]" and "Host [host pattern-list]".  Multiple criteria may be specified on a single Match line, if so all criteria must match before the Match block takes effect (ie it is a logical AND).

The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2, Banner, ChallengeResponseAuthentication, ChallengeResponseAuthentication, ClientAliveCountMax, ClientAliveInterval, GatewayPorts, GssAuthentication, GssCleanupCreds, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, IgnoreUserKnownHosts, KbdInteractiveAuthentication, KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd, KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime, MaxAuthTries, PasswordAuthentication, PermitEmptyPasswd, PermitRootLogin, PermitTunnel, PermitUserEnvironment, PrintLastLog, PrintMotd, PubkeyAuthentication, PubkeyAuthentication, RSAAuthentication, RhostsRSAAuthentication, StrictModes, UseLogin, UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost, XAuthLocation.  Only a (small) subset of these have been tested.

Comment 2 Darren Tucker 2006-05-01 16:12:33 AEST

Created attachment 1127 [details]
Updated Match patch, against portable current.

Added support for comma-separated group lists ("Match Group foo,bar"). Fixed leaks that occured when the ServerOption block was copied to the privsep slave.

Comment 3 Darren Tucker 2006-07-12 22:49:26 AEST

The first part of Match has been committed (just a couple of directives so far) and so it will be in v4.4.

Comment 4 Darren Tucker 2006-09-21 15:43:26 AEST

Created attachment 1184 [details]
Add support for pre-authentication options to OpenSSH 4.4.

Adds Match support for PasswordAuthentication and Banner.

Comment 5 Darren Tucker 2006-09-21 15:44:56 AEST

Created attachment 1185 [details]
Example of how to add further options to Match,

Requires OpenSSH 4.4 and patch #1184.

Comment 6 Darren Tucker 2006-10-07 12:26:05 AEST

*** Bug 22 has been marked as a duplicate of this bug. ***

Comment 7 Darren Tucker 2007-02-19 22:41:25 AEDT

Created attachment 1240 [details]
Add support for auth types to Match

This patch (against 4.5p1) allows a Match directive to control different authentication types.  This patch was just committed and will be in 4.6 but I have been asked for it several times so did the (trivial) backport to 4.5p1 and am posting it here.

Comment 8 Darren Tucker 2007-03-01 23:12:03 AEDT

The authentications are now supported.  I'll add the other options that make sense to support as time permits.

Comment 9 Damien Miller 2008-04-04 09:55:26 AEDT

Close resolved bugs after release.