|
Description
|
as per synopsis. Match section from OpenSSH's sshd_config(8) follows:
Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file, un-
til either another Match line or the end of the file. The argu-
ments to Match are one or more criteria-pattern pairs. The
available criteria are User, Group, Host, and Address. Only a
subset of keywords may be used on the lines following a Match
keyword. Available keywords are AllowTcpForwarding, Banner,
ForceCommand, GatewayPorts, GSSApiAuthentication,
KbdInteractiveAuthentication, KerberosAuthentication,
PasswordAuthentication, PermitOpen, RhostsRSAAuthentication,
RSAAuthentication, X11DisplayOffset, X11Forwarding, and
X11UseLocalHost.
I need this for my own system configuration, but I need to make AllowUsers
conditional on destination address.
I have a bastion host. When a connection arrives over my internal network,
I want to allow all internal users to access it. When a connection arrives
over the global Internet, I want to allow only a few users to get access.
I currently do this by running two copies of sshd. One is bound to "::",
and has AllowUsers set to the restricted subset. The other is bound to
my internal RFC 1918 address, and doesn't have AllowUsers set. It's a bit
of a kludge, but it works. Having Match would be *much* more elegant.
|