[IMPORTANT] Please note that this site will be disabled on October 31. In it's place, the new JumpCloud Help Center is live! Check it out here!

Support Center

Using the Match block in sshd_config

Match is an optional, conditional block in the sshd_config, and may be used to satisfy use cases that the agent does not. The agent will not overwrite a Match block.

For detailed information, see the man page for your particular distro. Append a Match block to the end of the file.

Example, require all users to use both a password AND a publickey:
# BeginGlobalExceptions
Match All
  PasswordAuthentication yes
  PubkeyAuthentication yes
  AuthenticationMethods password,publickey
# GlobalExceptionsEnd

**Be sure to restart sshd after making any config changes so they take effect.**
Automate change distribution to many systems

In order to apply this to many systems at once, the Commands function can be leveraged in the JumpCloud Administrator Console. 
  • Before running this across many systems, test the process on a small number of systems to manually verify desired behavior has been achieved.
  • This will not work with very old versions of sshd, in testing, we found the parameters needed for the exception were not honored with OpenSSH 5.x.
  • The script expects your sshd service to be called sshd, if it is not, modify lines 27 and 29 with the appropriate name of the service.
  • Appending the Match block to the end of the config is one way, and does not check to see if there are conflicting Match blocks. This method should work for most implementations, but testing before mass deployment is recommended.
  • The Match block in this script contains the above conditions, if there are other conditions required for your environment, change them as needed.
  1. Copy the contents of the script to a local file.
  2. In the Administrator Console, create a new command.
  3. Upload the file created in step 1.
  4. Enter the path to the file in the command for execution. This is /tmp/FILENAME by default
  5. Select the desired systems or system groups to apply the command to and save.
  6. When ready, select the new command and select 'run now'.
  7. This command should return exit 0. Depending on the Linux flavor, there may also be some stdout in the logs section.

Last Updated: Sep 19, 2018 04:13PM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found