Limiting access to OpenSSH features with the Match keyword

With the introduction of OpenSSH 4.3p2, Darren Tucker introduced the “Match” keyword. This super nifty keyword can be used to limit features to specific users, hosts and groups, and allows administrators to enforce granular feature access (e.g., key-based authentication can only be used from specific hosts or subnets). To use the Match feature, the Match directive needs to added to the sshd_config configuration file with a criteria to enforce, and a set of directives to allow or deny. The Criteria can be either “User,” “Group,” “Address,” or “Host,” and wildcards are supported when the Host criteria is used. The following example shows how the Match keyword can be used to limit TCP port forwarding and X11 port forwarding to the user stew:

AllowTcpForwarding no
X11Forwarding no

Match User stew
         AllowTcpForwarding yes
         X11Forwarding yes

The full list of directives that are supported inside a Match block are listed in OpenSSH bug #1180. This is an incredible feature, and something I have wanted for years. Thanks Darren for adding this!

matty on September 5, 2006 | Filed Under OpenSSH

3 Comments

x  on June 22nd, 2010

To clarify: this was actually added in OpenSSH 4.4p1.

Micheal Jackson  on June 15th, 2011

Stopping sshd: [FAILED]
Starting sshd: /etc/ssh/sshd_config: line 122: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options

—————————————–
I’m using Centos 5.5, any clue?

Miguel  on August 20th, 2011

Yeah, your openssh is probably old. ssh -v or yum info openssh-server will report the version you are currently using, it’s probably older than 4.4p1.

Leave a Comment