78

I'm using a Match block in OpenSSH's /etc/ssh/sshd_config (on debian) to restrict some users to SFTP:

# my stuff
Match group sftponly
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -u 0002
    ChrootDirectory %h

As you can see, I use a #my stuff comment in custom config files to easily distinguish default configurations from those I made (and I put those at the end of the config files).
Now I wanted to append the directive UseDNS no to the configuration (to speed up logins) but OpenSSH said Directive 'UseDNS' is not allowed within a Match block.

Now I was wondering whether there is a syntax like End Match to end those match blocks?

mreithub
  • 3,583

3 Answers3

62

To end up a match block with openssh 6.5p1 or above, use the line: Match all

Here is a piece of code, taken from my /etc/ssh/sshd_config file:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Match host 192.168.1.12
    PasswordAuthentication yes
Match all

X11Forwarding yes
X11DisplayOffset 10

A line with a sole Match won't work. (It didn't work for me, sshd refused to start)

Stéphane Chazelas
  • 544,893
loxaxs
  • 1,924
  • 2
    Cool, I've just tried that one out and it seems to work as expected (I could even use the UseDNS directive (which didn't work before). Accepting this as the new answer. -- Newer OpenSSH versions apparently won't even start with an empty Match: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032456.html – mreithub Aug 17 '16 at 19:48
  • 1
    One should not that the indentation of PasswordAuthentication is misleading. I'm writing it that way too, however the config parser does not care about indentation. All it looks for is match blocks. Once it's seen one, the global config is over, and all it cares about are match blocks. – Marki Dec 24 '20 at 12:47
51

It seems there is no way to explicitly end Match blocks. From the sshd_config manual page:

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.

So Match blocks need to be at the end of the sshd_config file.

mreithub
  • 3,583
  • 7
    Another option is to have a line with nothing but Match on it, which effectively matches everything and therefore is the same as 'ending' the block. This still won't let you use directives that aren't allowed in Match blocks, though, so it won't help with your particular scenario. – Nathan Bouscal Apr 28 '13 at 02:28
  • 7
    "Match blocks need to be at the end of the sshd_config file." Very helpful to me and not explained clearly enough (for me) in the man page, etc. Thanks. – MountainX Apr 29 '13 at 22:26
2

I think we should mention the Match and Host key at the same time.

Host

Restricts the following declarations (up to the next Host or Match keyword) to be only for those hosts that match one of the patterns given after the keyword.

Match

Restricts the following declarations (up to the next Host or Match keyword) to be used only when the conditions following the Match keyword are satisfied.

Reading the manual of man ssh_config, both Host * and Match all will reset former restriction block, no matter the former one is a Match block or a Host block.

Simba
  • 1,682