From fb8ac0a42bd415223727f633e0ee7b0beb8cd7c9 Mon Sep 17 00:00:00 2001
From: Andre Lehmann <aisberg@posteo.de>
Date: Mon, 22 Jun 2020 18:01:40 +0200
Subject: [PATCH] Add option to create 'LocalPort' match block

Signed-off-by: Andre Lehmann <aisberg@posteo.de>
---
 README.md                  |  1 +
 defaults/main.yml          |  9 ++++++---
 templates/opensshd.conf.j2 | 18 +++++++++++++++---
 tests/default_custom.yml   |  8 ++++++++
 4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 2a048c0..ca2fa2e 100644
--- a/README.md
+++ b/README.md
@@ -70,6 +70,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_local_port` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
 |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
diff --git a/defaults/main.yml b/defaults/main.yml
index 2aac1ae..65e191b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -155,15 +155,18 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
-# list of hashes (containing user and rules) to generate Match User blocks for.
+# list of hashes (containing user and rules) to generate Match User blocks for
 ssh_server_match_user: false        # sshd
 
-# list of hashes (containing group and rules) to generate Match Group blocks for.
+# list of hashes (containing group and rules) to generate Match Group blocks for
 ssh_server_match_group: false       # sshd
 
-# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
+# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
 ssh_server_match_address: false     # sshd
 
+# list of hashes (containing port and rules) to generate Match LocalPort blocks for
+ssh_server_match_local_port: false  # sshd
+
 ssh_server_permit_environment_vars: 'no'
 ssh_server_accept_env_vars : ''
 
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index 738a842..d8dd556 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -261,8 +261,8 @@ Match Group sftponly
     PermitRootLogin no
     X11Forwarding no
 {% endif %}
-
 {% if ssh_server_match_address %}
+
 # Address matching configuration
 # ============================
 
@@ -273,8 +273,8 @@ Match Address {{ item.address }}
   {% endfor %}
 {% endfor %}
 {% endif %}
-
 {% if ssh_server_match_group %}
+
 # Group matching configuration
 # ============================
 
@@ -285,8 +285,8 @@ Match Group {{ item.group }}
   {% endfor %}
 {% endfor %}
 {% endif %}
-
 {% if ssh_server_match_user %}
+
 # User matching configuration
 # ===========================
 
@@ -297,3 +297,15 @@ Match User {{ item.user }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+{% if ssh_server_match_local_port %}
+
+# LocalPort matching configuration
+# ================================
+
+{% for item in ssh_server_match_local_port %}
+Match LocalPort {{ item.port }}
+  {% for rule in item.rules %}
+    {{ rule | indent(4) }}
+  {% endfor %}
+{% endfor %}
+{% endif %}
diff --git a/tests/default_custom.yml b/tests/default_custom.yml
index 36f31ca..749aeef 100644
--- a/tests/default_custom.yml
+++ b/tests/default_custom.yml
@@ -73,6 +73,9 @@
     sftp_enabled: true
     sftp_chroot: true
     #ssh_server_enabled: false
+    ssh_server_ports:
+      - 22
+      - 222
     ssh_server_match_address:
       - address: '192.168.1.1/24'
         rules:
@@ -88,6 +91,11 @@
         rules:
           - 'AllowTcpForwarding yes'
           - 'AllowAgentForwarding no'
+    ssh_server_match_local_port:
+      - port: 222
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']