[Bug 1180] Add finer-grained controls to sshd

Sat Apr 8 13:04:51 EST 2006

http://bugzilla.mindrot.org/show_bug.cgi?id=1180

------- Comment #1 from dtucker at zip.com.au  2006-04-08 13:04 -------
Created an attachment (id=1118)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1118&action=view)
Add "Match" keyword to sshd_config

This patch (against 4.3p2) extends sshd_config to support syntax such as:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
        AllowTcpForwarding yes
        GatewayPorts no

Match User bar,baz
        AllowTcpForwarding yes

Match Host t*
        AllowTcpForwarding yes

The criteria currently supported by Match are "User [user pattern-list]",
"Group [group pattern]", "Address [address pattern-list]" and "Host [host
pattern-list]".  Multiple criteria may be specified on a single Match line, if
so all criteria must match before the Match block takes effect (ie it is a
logical AND).

The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2, Banner,
ChallengeResponseAuthentication, ChallengeResponseAuthentication,
ClientAliveCountMax, ClientAliveInterval, GatewayPorts, GssAuthentication,
GssCleanupCreds, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
IgnoreRhosts, IgnoreUserKnownHosts, KbdInteractiveAuthentication,
KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd,
KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime, MaxAuthTries,
PasswordAuthentication, PermitEmptyPasswd, PermitRootLogin, PermitTunnel,
PermitUserEnvironment, PrintLastLog, PrintMotd, PubkeyAuthentication,
PubkeyAuthentication, RSAAuthentication, RhostsRSAAuthentication, StrictModes,
UseLogin, UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost,
XAuthLocation.  Only a (small) subset of these have been tested.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.