necrux - Blog

SSH Match Statements

An often underused feature of OpenSSH is the Match statement. Match statements work on OpenSSH 4.4+; applicable versions ship with RHEL/CentOS 6+ and Ubuntu 12.04+. The Match directive accepts the following options:

  • Match User
  • Match Group
  • Match Host
  • Match LocalAddress
  • Match LocalPort
  • Match Address

Match statements can be used to help harden SSH but can easily become complicated when options like AllowUsers or AllowGroups are in use as Match does not accept these parameters. If your goal is to allow root to login from certain IPs, then you can disable root via the PermitRootLogin option and add root with either AllowsUsers or AllowGroups options (PermitRootLogin supersedes the other options regardless of position). After that you can explicitly allow root login from a Match block:

Match Address 127.0.0.1,192.168.0.12
PermitRootLogin yes
PasswordAuthentication yes

Note: Match blocks do not end until they reach the end of the file or hit another Match block.