dev-sec · schurzi · Jun 22, 2020 · Jun 22, 2020
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
+|`ssh_server_match_local_port` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
 |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -155,15 +155,18 @@ sftp_chroot_dir: /home/%u
 # enable experimental client roaming
 ssh_client_roaming: false
 
-# list of hashes (containing user and rules) to generate Match User blocks for.
+# list of hashes (containing user and rules) to generate Match User blocks for
 ssh_server_match_user: false        # sshd
 
-# list of hashes (containing group and rules) to generate Match Group blocks for.
+# list of hashes (containing group and rules) to generate Match Group blocks for
 ssh_server_match_group: false       # sshd
 
-# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
+# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
 ssh_server_match_address: false     # sshd
 
+# list of hashes (containing port and rules) to generate Match LocalPort blocks for
+ssh_server_match_local_port: false  # sshd
+
 ssh_server_permit_environment_vars: 'no'
 ssh_server_accept_env_vars : ''
 

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -261,8 +261,8 @@ Match Group sftponly
     PermitRootLogin no
     X11Forwarding no
 {% endif %}
-
 {% if ssh_server_match_address %}
+
 # Address matching configuration
 # ============================
 
@@ -273,8 +273,8 @@ Match Address {{ item.address }}
   {% endfor %}
 {% endfor %}
 {% endif %}
-
 {% if ssh_server_match_group %}
+
 # Group matching configuration
 # ============================
 
@@ -285,8 +285,8 @@ Match Group {{ item.group }}
   {% endfor %}
 {% endfor %}
 {% endif %}
-
 {% if ssh_server_match_user %}
+
 # User matching configuration
 # ===========================
 
@@ -297,3 +297,15 @@ Match User {{ item.user }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+{% if ssh_server_match_local_port %}
+
+# LocalPort matching configuration
+# ================================
+
+{% for item in ssh_server_match_local_port %}
+Match LocalPort {{ item.port }}
+  {% for rule in item.rules %}
+    {{ rule | indent(4) }}
+  {% endfor %}
+{% endfor %}
+{% endif %}
diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -73,6 +73,9 @@
     sftp_enabled: true
     sftp_chroot: true
     #ssh_server_enabled: false
+    ssh_server_ports:
+      - 22
+      - 222
     ssh_server_match_address:
       - address: '192.168.1.1/24'
         rules:
@@ -88,6 +91,11 @@
         rules:
           - 'AllowTcpForwarding yes'
           - 'AllowAgentForwarding no'
+    ssh_server_match_local_port:
+      - port: 222
+        rules:
+          - 'AllowTcpForwarding yes'
+          - 'AllowAgentForwarding no'
     ssh_remote_hosts:
       - names: ['example.com', 'example2.com']
         options: ['Port 2222', 'ForwardAgent yes']