SSH Match Statements
An often underused feature of OpenSSH is the Match statement. Match statements work on OpenSSH 4.4+; applicable versions ship with RHEL/CentOS 6+ and Ubuntu 12.04+. The Match directive accepts the following options:
- Match User
- Match Group
- Match Host
- Match LocalAddress
- Match LocalPort
- Match Address
Match statements can be used to help harden SSH but can easily become complicated when options like AllowUsers
or AllowGroups
are in use as Match does not accept these parameters. If your goal is to allow root to login from certain IPs, then you can disable root via the PermitRootLogin
option and add root with either AllowsUsers
or AllowGroups
options (PermitRootLogin
supersedes the other options regardless of position). After that you can explicitly allow root login from a Match block:
Match Address 127.0.0.1,192.168.0.12
PermitRootLogin yes
PasswordAuthentication yes
Note: Match blocks do not end until they reach the end of the file or hit another Match block.