support CIDR address matching in sshd_config "Match address" blocks, with

full support for negation and fall-back to classic wildcard matching.
For example:

Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
    PasswordAuthentication yes

addrmatch.c code mostly lifted from flowd's addr.c

feedback and ok dtucker@

1 files changed, 24 insertions, 2 deletions

diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 1edd8217a17..4091c44ae91 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $
-.Dd $Mdocdate: May 8 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $
+.Dd $Mdocdate: June 10 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those
 set in the global section of the config file, until either another
 .Cm Match
 line or the end of the file.
+.Pp
 The arguments to
 .Cm Match
 are one or more criteria-pattern pairs.
@@ -566,6 +567,27 @@ The available criteria are
 .Cm Host ,
 and
 .Cm Address .
+The match patterns may consist of single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx SSH_KNOWN_HOSTS FILE FORMAT
+section of
+.Xr sshd 8 .
+.Pp
+The patterns in an
+.Cm Address
+criteria may additionally contain addresses to match in CIDR
+address/masklen format, e.g.
+.Dq 192.0.2.0/24
+or
+.Dq 3ffe:ffff::/32 .
+Note that the mask length provided must be consistent with the address -
+it is an error to specify a mask length that is too long for the address
+or one with bits set in this host portion of the address. For example,
+.Dq 192.0.2.0/33
+and
+.Dq 192.0.2.0/8 
+respectively.
+.Pp
 Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.