Merge pull request #231 from MatthiasLohr/feature/MatchAddress

added support for `ssh_server_match_address` (#230)
dev-sec · Aug 5, 2019 · b7bc40b · b7bc40b
2 parents 9076895 + b60fe1b
commit b7bc40b
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -64,6 +64,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
 |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
 |`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -151,6 +151,9 @@ ssh_server_match_user: false            # sshd
 # list of hashes (containing group and rules) to generate Match Group blocks for.
 ssh_server_match_group: false           # sshd
 
+# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
+ssh_server_match_address: false           # sshd
+
 ssh_server_permit_environment_vars: false
 
 # maximum number of concurrent unauthenticated connections to the SSH daemon

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -254,6 +254,18 @@ Match Group sftponly
     X11Forwarding no
 {% endif %}
 
+{% if ssh_server_match_address -%}
+# Address matching configuration
+# ============================
+
+{% for item in ssh_server_match_address -%}
+Match Address {{ item.address }}
+  {% for rule in item.rules %}
+    {{ rule | indent(4) }}
+  {% endfor %}
+{% endfor %}
+{% endif %}
+
 {% if ssh_server_match_group -%}
 # Group matching configuration
 # ============================

diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -47,6 +47,11 @@
     sftp_enabled: true
     sftp_chroot: true
     #ssh_server_enabled: false
+    ssh_server_match_address:
+      - address: '192.168.1.1/24'
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
     ssh_server_match_group:
       - group: 'root'
         rules: