Solved [Solved] sshd_config Match Rules

The man page for sshd_config(5) refers to the PATTERNS section of the ssh_config(5) man page, but the latter is ambiguous about how to use them. I wonder... Is it possible to match the same user from different hosts and have different rules that apply? AND, is it possible to match a user with a NOT (!) for Address?

The reason I ask is that I would like to have a particular user use password auth from some hosts, but keys from any host other than the specified ones.

Is this possible?
 
Re: Sshd_config Match Rules

dave said:
I wonder... Is it possible to match the same user from different hosts and have different rules that apply?
Yes, I think that's possible. You just have to make sure only one rule applies for each situation.

AND, is it possible to match a user with a NOT (!) for Address?
Yes, this should work:
Code:
Match Host !192.168.1.*, User someuser
Each pattern is AND'ed with the others. So all patterns must apply for the rule to match.
 
Re: Sshd_config Match Rules

What I'd like to do is allow a specific user to access the server by password via remote connection, and key only by local connection. In addition, remote sessions should be limited to sftp only. When I attempt to ssh from remote with the password, I am able to log in and I get a shell, which I don't want - I want the user to be limited to sftp.

So, this is all working fine, except that if I ssh from remote (i.e. I should be matching Match Host !127.0.0.1, User testuser only) I should be denied interactive login.

Here's what I have:
Code:
Match Host 127.0.0.1, User testuser
        PasswordAuthentication no
        PubkeyAuthentication yes
        AuthorizedKeysFile /usr/local/www/vhosts/testuser/ssh/authorized_keys
        ChrootDirectory /usr/local/www/vhosts/testuser
        X11Forwarding no

Match Host !127.0.0.1, User testuser
        PasswordAuthentication yes
        PubkeyAuthentication no
        ChrootDirectory /usr/local/www/vhosts/testuser
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -u 0002

If I run a debug instance of ssh on an alternate port, and log in from remote via ssh, it looks like both lines are matching. I get:
Code:
ebug1: HPN Buffer Size: 65536
debug1: sshd version OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='1234'
debug1: rexec_argv[3]='-d'
debug1: Bind to port 1234 on ::.
debug1: Server TCP RWIN socket size: 65536
debug1: HPN Buffer Size: 65536
Server listening on :: port 1234.
debug1: Bind to port 1234 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 65536
debug1: HPN Buffer Size: 65536
Server listening on 0.0.0.0 port 1234.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from 123.123.123.123 port 41169
debug1: HPN Disabled: 0, HPN Buffer Size: 65536
debug1: Client protocol version 2.0; client software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Remote is not HPN-aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testuser service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user testuser matched 'User testuser' at line 168
debug1: user testuser matched 'User testuser' at line 175
debug1: PAM: initializing for "testuser"
debug1: PAM: setting PAM_RHOST to "d123.123.123.123.my.isp.net"
debug1: userauth-request for user testuser service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: trying public key file /home/testuser/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: trying public key file /home/testuser/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/testuser/.ssh/authorized_keys2': No such file or directory
Failed publickey for testuser from 123.123.123.123 port 41169 ssh2
debug1: userauth-request for user testuser service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: trying public key file /home/testuser/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: trying public key file /home/testuser/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/testuser/.ssh/authorized_keys2': No such file or directory
Failed publickey for testuser from 123.123.123.123 port 41169 ssh2
debug1: userauth-request for user testuser service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=testuser devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for testuser from 123.123.123.123 port 41169 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for testuser from 123.123.123.123 port 41169 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for testuser from 123.123.123.123 port 41169 ssh2
debug1: monitor_child_preauth: testuser has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 66008
debug1: PAM: establishing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 66009
debug1: session_exit_message: session 0 channel 0 pid 66009
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/1
debug1: session_pty_cleanup: session 0 release /dev/pts/1
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Received disconnect from 123.123.123.123: 11: disconnected by user
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
 
Re: sshd_config Match Rules

I finally figured this one out. I found the info here.

Note that for negation a wildcard must be specified first and then the address or range to be excluded following it.

Note below that I needed to add a wildcard before the negation of 127.0.0.1 on line 1.
Code:
Match User testuser, Address *,!127.0.0.1
	ChrootDirectory /path/testusersdir
	PasswordAuthentication yes
	PubkeyAuthentication no
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp -u 0002

Match User testuser, Address 127.0.0.1
	PasswordAuthentication no
	PubkeyAuthentication yes
	AuthorizedKeysFile /path/testusersdir/ssh/authorized_keys

With this setup a user only has sftp access via remote, but they can login interactively via ssh key to the local machine. This allows wordpress editors to only edit via sftp from remote, but still have point-and-click updates and plugin/theme installs.
 
Back
Top