openssh bugs - Apr 2015 - [Bug 2379] New: [RFE] sshd Match based on my IP address

https://bugzilla.mindrot.org/show_bug.cgi?id=2379

            Bug ID: 2379
           Summary: [RFE] sshd Match based on my IP address
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: riehecky at fnal.gov

Description of problem:
I would like to further extend the Match directive to include my
ServerIP.

I have a system with several IP addresses on several networks, many of
which are not easily captured by the 'from Host/IP' settings.  The
systems have an IP address they pass back and forth for HA reasons.

For example:

myhost.example.com has 4 interfaces, A is 203.0.113.100/2001:db8::a3, B
is 10.2.6.8, C is 172.16.12.24, D is 198.51.100.100

I wish to set a firm rule that, no matter the origin, any connection to
A must use Public Key auth - and not password auth.  Similarly I've
specific connection requirements on all connections on B, C, and D
which themselves differ from each other (say: B allows TCP forwarding,
C only permits some users, D permits root login).  With both A and D
having public IP addresses, I cannot distinguish between clients based
only on their origin information.


Expected results:

Something like:
Match ServerAddress 203.0.113.100
  PasswordAuthentication no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2379

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Does "Match LocalAddress" not already do what you want? I.e.

Match LocalAddress 203.0.113.100
  PasswordAuthentication no

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2379

Pat Riehecky <riehecky at fnal.gov> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Pat Riehecky <riehecky at fnal.gov> ---
Somehow my search of the docs missed that option.

Match LocalAddress is exactly what I was looking for.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2379

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|6.9p1                       |6.8p1
                 CC|                            |dtucker at zip.com.au

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2379

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.