Support of custom match configuration blocks

They are sometimes useful when you need to have user/group rectrictions or want to override some global configuration options

Signed-off-by: Artem Sidorenko <[email protected]>

Author: artem-sidorenko

README.md

@@ -79,6 +79,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['sftp']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
 * `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
 * `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
+* `['ssh-hardening']['ssh']['server']['match_blocks']` - `{}`. Match configuration block, see [below](#match-configuration-options-for-sshd) for details
 
 ## Usage
 
@@ -145,6 +146,24 @@ default['ssh-hardening']['ssh']['client']['extras'].tap do |extra|
 end
 ```
 
+## Match Configuration Options for sshd
+Match blocks have to be placed by the end of sshd_config. This can be achieved by using the `match_blocks` attribute tree:
+
+```
+default['ssh-hardening']['ssh']['server']['match_blocks'].tap do |match|
+  match['User root'] = <<~ROOT
+    AuthorizedKeysFile .ssh/authorized_keys
+  ROOT
+  match['User git'] = <<~GIT
+    Banner none
+    AuthorizedKeysCommand /bin/false
+    AuthorizedKeysFile .ssh/authorized_keys
+    GSSAPIAuthentication no
+    PasswordAuthentication no
+  GIT
+end
+```
+
 ## Local Testing
 
 Please install [chef-dk](https://downloads.chef.io/chefdk), [VirtualBox](https://www.virtualbox.org/) or VMware Workstation and [Vagrant](https://www.vagrantup.com/).

attributes/default.rb

@@ -113,6 +113,9 @@
   # extra server configuration options
   server['extras']                   = {}
 
+  # server match configuration block
+  server['match_blocks']             = {}
+
   # sshd sftp options
   server['sftp']['enable']                  = false
   server['sftp']['log_level']               = 'VERBOSE'

spec/recipes/server_spec.rb

@@ -501,6 +501,35 @@
     end
   end
 
+  describe 'match configuration blocks' do
+    context 'without custom extra config value' do
+      cached(:chef_run) do
+        ChefSpec::SoloRunner.new.converge(described_recipe)
+      end
+
+      it 'does not have any match config blocks' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config')
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
+          with_content(/^# Match Configuration Blocks/)
+      end
+    end
+
+    context 'with custom match config block value' do
+      cached(:chef_run) do
+        ChefSpec::SoloRunner.new do |node|
+          node.normal['ssh-hardening']['ssh']['server']['match_blocks']['User root'] = <<~ROOT
+            AuthorizedKeysFile .ssh/authorized_keys
+          ROOT
+        end.converge(described_recipe)
+      end
+
+      it 'uses the match config blocks' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^# Match Configuration Blocks/)
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^Match User root/)
+      end
+    end
+  end
+
   it 'disables the challenge response authentication' do
     expect(chef_run).to render_file('/etc/ssh/sshd_config').
       with_content(/ChallengeResponseAuthentication no/)

templates/default/opensshd.conf.erb

@@ -245,3 +245,11 @@ X11Forwarding no
 #PermitRootLogin no
 #X11Forwarding no
 <% end %>
+
+<%- unless @node['ssh-hardening']['ssh']['server']['match_blocks'].empty? %>
+# Match Configuration Blocks
+  <%- @node['ssh-hardening']['ssh']['server']['match_blocks'].each do |key, value| %>
+Match <%= key %>
+  <%= value.split("\n").join("\n  ") %>
+  <% end -%>
+<% end -%>