diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2008-06-10 22:59:10 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-10 22:59:10 +1000 |
| commit | 7a3935de2facb227ea1fc2ce2de046b569a2ebc7 (patch) | |
| tree | d0545c3c568f1de7f3edd0a3254ab3b5547a6059 /sshd_config.5 | |
| parent | 588fe0efa4e7cb74fc071c5271348d13ea06528b (diff) | |
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
[servconf.c match.h sshd_config.5]
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 0d8c140bf..dc42959e2 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -34,8 +34,8 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $ |
| 38 | .Dd $Mdocdate: May 8 2008 $ | 38 | .Dd $Mdocdate: June 10 2008 $ |
| 39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those | |||
| 557 | set in the global section of the config file, until either another | 557 | set in the global section of the config file, until either another |
| 558 | .Cm Match | 558 | .Cm Match |
| 559 | line or the end of the file. | 559 | line or the end of the file. |
| 560 | .Pp | ||
| 560 | The arguments to | 561 | The arguments to |
| 561 | .Cm Match | 562 | .Cm Match |
| 562 | are one or more criteria-pattern pairs. | 563 | are one or more criteria-pattern pairs. |
| @@ -566,6 +567,27 @@ The available criteria are | |||
| 566 | .Cm Host , | 567 | .Cm Host , |
| 567 | and | 568 | and |
| 568 | .Cm Address . | 569 | .Cm Address . |
| 570 | The match patterns may consist of single entries or comma-separated | ||
| 571 | lists and may use the wildcard and negation operators described in the | ||
| 572 | .Sx SSH_KNOWN_HOSTS FILE FORMAT | ||
| 573 | section of | ||
| 574 | .Xr sshd 8 . | ||
| 575 | .Pp | ||
| 576 | The patterns in an | ||
| 577 | .Cm Address | ||
| 578 | criteria may additionally contain addresses to match in CIDR | ||
| 579 | address/masklen format, e.g. | ||
| 580 | .Dq 192.0.2.0/24 | ||
| 581 | or | ||
| 582 | .Dq 3ffe:ffff::/32 . | ||
| 583 | Note that the mask length provided must be consistent with the address - | ||
| 584 | it is an error to specify a mask length that is too long for the address | ||
| 585 | or one with bits set in this host portion of the address. For example, | ||
| 586 | .Dq 192.0.2.0/33 | ||
| 587 | and | ||
| 588 | .Dq 192.0.2.0/8 | ||
| 589 | respectively. | ||
| 590 | .Pp | ||
| 569 | Only a subset of keywords may be used on the lines following a | 591 | Only a subset of keywords may be used on the lines following a |
| 570 | .Cm Match | 592 | .Cm Match |
| 571 | keyword. | 593 | keyword. |