Match and AuthorizedKeysFile, was Re: sshd config parser

Jon Peatfield J.S.Peatfield at damtp.cam.ac.uk
Sat Jan 24 14:55:11 EST 2009 

I hope no-one minds me replying to such an old message... :-)

On Sun, 2 Apr 2006, Darren Tucker wrote:

> Hi All.
>
> Here's an updated patch.  It's not actually as big as it looks as nearly
> half of it as adding a flag to the keyword struct and large comment.
>
> The supported Match directives are User, Group, Host and Address.
>
> The directives supported inside a Match block are:
>
> UsePAM, LoginGraceTime, PermitRootLogin, LogFacility,
> LogLevel, RhostsRSAAuthentication, HostbasedAuthentication,
> HostbasedUsesNameFromPacketOnly, RSAAuthentication, PubkeyAuthentication,
> PubkeyAuthentication, KerberosAuthentication, KerberosOrLocalPasswd,
> KerberosTicketCleanup, KerberosGetAFSToken, GssAuthentication,
> GssCleanupCreds, PasswordAuthentication, KbdInteractiveAuthentication,
> ChallengeResponseAuthentication, ChallengeResponseAuthentication,
> PrintMotd, PrintLastLog, IgnoreRhosts, IgnoreUserKnownHosts,
> X11Forwarding, X11DisplayOffset, X11UseLocalhost, XAuthLocation,
> StrictModes, PermitEmptyPasswd, PermitUserEnvironment, UseLogin,
> AllowTcpForwarding, GatewayPorts, MaxAuthTries, Banner,
> ClientAliveInterval, ClientAliveCountMax, AuthorizedKeysFile,
> AuthorizedKeysFile2, AcceptEnv, PermitTunnel
> (not all of those are tested, though)
<snip>

I note AuthorizedKeysFile is listed.

I was just doing some testing of a system using a fairly freshly built 
openssh-5.1p1 and started experimenting with Match options and found that 
AuthorizedKeysFile is not allowed in a Match block - the struct keywords[] 
entry for it contains SSHCFG_GLOBAL rather than SSHCFG_ALL so I didn't 
look much further into the code.

Anyway I thought it *might* be useful to patch openssh to allow it to work 
in a Match so first I checked back through old mail to the list first - in 
case anyone had already suggested it - and found the info above from 2006.

If Match was originally going to allow this was it dropped because it 
caused some problem or would adding it be lots of work?

On a slightly different matter has anyone already suggested adding Match 
options to select on the address/hostname and/or port that the sshd 
accepted the connection on?

I'm thinking of things like:

   # connection to addresses connected to trusted networks
   Match localaddress x.x.x.x x1.x1.x1.x1 127.0.0.1
     HostbasedAuthentication yes

   # connection to a 'service' address
   Match localaddress y.y.y.y
     HostbasedAuthentication no
     ForceCommand ....

of course one can run different sshds with different setting for these 
each listening on the relevant addresses/ports so it isn't exactly vital.

  -- Jon

More information about the openssh-unix-dev mailing list