The Match directive in SSH (Secure Shell) configuration files is used to apply specific settings conditionally based on criteria such as user, group, host, or address. It provides more flexibility by allowing different SSH behaviors depending on the context of the connection.

There are two main SSH configuration files where the Match directive is used:

  • ssh_config: The configuration file for the SSH client, which controls outgoing connections.
  • sshd_config: The configuration file for the SSH server, which controls incoming connections.


The Match directive is followed by a list of conditions, and any subsequent directives are applied only when those conditions are met.

The block ends when another Match statement or the end of the file is reached.

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.


Match criteria
    Directive1 value
    Directive2 value


Or multiple criteria the need to match.

Match criteria1 criteria2 ...
    Directive1 value
    Directive2 value


Below are some commonly used criteria keywords for the Match directive.

  • User -> e.g. User john, User admin
  • Group -> e.g. Group sftp_users
  • Host -> e.g. Host server.example.com, Host *.example.com
  • Address -> Address 192.168.1.0/24, Address 192.168.1.10
  • LocalPort -> LocalPort 22, LocalPort 2222


A commonly used criteria keyword for the Match directive is Match Group when setting up a SFTP Server as shown in my following post.


Here all users which are member in the sftp group will be locked (chrooted) to its own home directory (%h). Further by using the ForceCommand internal-sftp directive all user sessions will just be able to execute sftp commands.

  Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp


Another example below by using the LocalPort criteria keyword. Here all users they will connect to the SSH Server by using the local SSH port 2222 will have enabled X11Forwarding, TcpForwarding and they will see a custom banner when signing-in.

Match LocalPort 2222
        X11Forwarding yes
        AllowTcpForwarding yes
        Banner /etc/ssh/sshd-banner


We can also limit the users they are able to connect to the server using SSH by using the Address criteria keyword. Address matches the remote IP address or range of IP addresses. Below for example root login by default is not permitted and just for users they will connect from the 192.168.2.0/24 subnet.

PermitRootLogin no

Match Address 192.168.2.0/24
        PermitRootLogin yes


Or we can further restrict access by using multiple criteria keywords like below with User and Address.

Below just the user marcus coming from the subnet 192.168.2.0/24 is permitted to connect to the server by using SSH.

PermitRootLogin no

Match User marcus Address 192.168.2.0/24
        PermitRootLogin yes





Links

Using negation in “Match” conditional blocks in sshd_config
https://access.redhat.com/solutions/289073