With the introduction of OpenSSH 4.3p2, Darren Tucker introduced the “Match” keyword. This super nifty keyword can be used to limit features to specific users, hosts and groups, and allows administrators to enforce granular feature access (e.g., key-based authentication can only be used from specific hosts or subnets). To use the Match feature, the Match directive needs to added to the sshd_config configuration file with a criteria to enforce, and a set of directives to allow or deny. The Criteria can be either “User,” “Group,” “Address,” or “Host,” and wildcards are supported when the Host criteria is used. The following example shows how the Match keyword can be used to limit TCP port forwarding and X11 port forwarding to the user stew:
AllowTcpForwarding no X11Forwarding no
Match User stew AllowTcpForwarding yes X11Forwarding yes
The full list of directives that are supported inside a Match block are listed in OpenSSH bug #1180. This is an incredible feature, and something I have wanted for years. Thanks Darren for adding this!