Merge pull request #231 from MatthiasLohr/feature/MatchAddress

rndmh3ro · web-flow · commit b7bc40bb742d · 2019-08-05T14:43:43.000+02:00
added support for `ssh_server_match_address` (#230)
diff --git a/README.md b/README.md
@@ -64,6 +64,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
 |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
 |`ssh_server_hardening` | `true` | `false` to stop harden the server |
+|`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -151,6 +151,9 @@ ssh_server_match_user: false            # sshd
 # list of hashes (containing group and rules) to generate Match Group blocks for.
 ssh_server_match_group: false           # sshd
 
+# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
+ssh_server_match_address: false           # sshd
+
 ssh_server_permit_environment_vars: false
 
 # maximum number of concurrent unauthenticated connections to the SSH daemon
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -254,6 +254,18 @@ Match Group sftponly
     X11Forwarding no
 {% endif %}
 
+{% if ssh_server_match_address -%}
+# Address matching configuration
+# ============================
+
+{% for item in ssh_server_match_address -%}
+Match Address {{ item.address }}
+  {% for rule in item.rules %}
+    {{ rule | indent(4) }}
+  {% endfor %}
+{% endfor %}
+{% endif %}
+
 {% if ssh_server_match_group -%}
 # Group matching configuration
 # ============================
diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -47,6 +47,11 @@
     sftp_enabled: true
     sftp_chroot: true
     #ssh_server_enabled: false
+    ssh_server_match_address:
+      - address: '192.168.1.1/24'
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
     ssh_server_match_group:
       - group: 'root'
         rules:
