diff options
author | Darren Tucker <dtucker@zip.com.au> | 2008-06-10 22:59:10 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-10 22:59:10 +1000 |
commit | 7a3935de2facb227ea1fc2ce2de046b569a2ebc7 (patch) | |
tree | d0545c3c568f1de7f3edd0a3254ab3b5547a6059 /sshd_config.5 | |
parent | 588fe0efa4e7cb74fc071c5271348d13ea06528b (diff) |
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
[servconf.c match.h sshd_config.5]
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 0d8c140bf..dc42959e2 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $ |
38 | .Dd $Mdocdate: May 8 2008 $ | 38 | .Dd $Mdocdate: June 10 2008 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those | |||
557 | set in the global section of the config file, until either another | 557 | set in the global section of the config file, until either another |
558 | .Cm Match | 558 | .Cm Match |
559 | line or the end of the file. | 559 | line or the end of the file. |
560 | .Pp | ||
560 | The arguments to | 561 | The arguments to |
561 | .Cm Match | 562 | .Cm Match |
562 | are one or more criteria-pattern pairs. | 563 | are one or more criteria-pattern pairs. |
@@ -566,6 +567,27 @@ The available criteria are | |||
566 | .Cm Host , | 567 | .Cm Host , |
567 | and | 568 | and |
568 | .Cm Address . | 569 | .Cm Address . |
570 | The match patterns may consist of single entries or comma-separated | ||
571 | lists and may use the wildcard and negation operators described in the | ||
572 | .Sx SSH_KNOWN_HOSTS FILE FORMAT | ||
573 | section of | ||
574 | .Xr sshd 8 . | ||
575 | .Pp | ||
576 | The patterns in an | ||
577 | .Cm Address | ||
578 | criteria may additionally contain addresses to match in CIDR | ||
579 | address/masklen format, e.g. | ||
580 | .Dq 192.0.2.0/24 | ||
581 | or | ||
582 | .Dq 3ffe:ffff::/32 . | ||
583 | Note that the mask length provided must be consistent with the address - | ||
584 | it is an error to specify a mask length that is too long for the address | ||
585 | or one with bits set in this host portion of the address. For example, | ||
586 | .Dq 192.0.2.0/33 | ||
587 | and | ||
588 | .Dq 192.0.2.0/8 | ||
589 | respectively. | ||
590 | .Pp | ||
569 | Only a subset of keywords may be used on the lines following a | 591 | Only a subset of keywords may be used on the lines following a |
570 | .Cm Match | 592 | .Cm Match |
571 | keyword. | 593 | keyword. |