We have customers at Red Hat wanting to have a different SSHD configuration snippet based on user's name (e.g. to force keyboard-interactive authentication when user is "LLNNNNN" (L = letter, N = digit)). The "User" token pattern matching isn't smart enough to filter this kind of "LLNNNNN" pattern. IMHO this requires having the possibility to use the "exec" token in Match stanza on the server side, but this isn't possible for now: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Match Introduces a conditional block. [...] The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received). -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Allowing the use of "exec" would enable having tons of customizations possible. Additionally there is no simple workaround available for now, it requires having multiple SSHD instances, one for "normal users" and one for "LLNNNNN" users, but this isn't enough, it also requires crafting a PAM module to prohibit the "LLNNNNN" users from connecting through the "normal users" instance, which makes the workaround difficult to implement.
Adding "match exec" to the server will probably not happen - it's fairly risky and would make it easy for users to allow DoS. This seems like something that could be done using a PAM module + AuthenticationMethods though