Skip to content

Proposal: SSHDConfig Set Support for Match Blocks #1342

New issue
New issue
Open
Open
Proposal: SSHDConfig Set Support for Match Blocks#1342
Labels
Issue-EnhancementThe issue is a feature or ideaNeeds Triage
@tgauth

Description

@tgauth
tgauth
opened on Jan 8, 2026

Summary of the new feature / enhancement

As a user, I want to be able to use the Microsoft.OpenSSH/SSHDConfig resource to configure the settings within a match block. Ideally, the experience should be similar to the way that I would configure global settings.

Proposed technical implementation details (optional)

This design aims to manage the match criteria like other repeatable keywords (see #1340) and manage the contents of the match block by treating it as its own configuration (leveraging the existing SSHD -T validation to verify that keywords are allowed within the match block).

To do so, add _scope and _criteria properties to the existing Microsoft.OpenSSH/SSHDConfig resource, so the schema would look like the following:

_scope: "global" | "match"  # default: global
_criteria:                  # required when _scope: match
  user: Vec<string>
  group: Vec<string>
  host: Vec<string>
  address: Vec<string>
  localaddress: Vec<string>
  localport: Vec<string>
  rdomain: Vec<string>
# + any keywords targeted for match block

Match Block Lifecycle

  • Creation: Implicit when _scope: "match" is used with any keyword(s)
  • Removal: Explicit via Microsoft.OpenSSH/SSHDConfig.Repeatable with _exist: false and match keyword using typed criteria

Examples:

  1. Configure an initial match block:
- type: Microsoft.OpenSSH/SSHDConfig
  properties:
    _scope: "match"
    _criteria:
      user: 
      - admin
    PasswordAuthentication: true
    AuthorizedKeysFile: "__PROGRAM_DATA__/ssh/administrators_authorized_keys"

match user admin
     PasswordAuthentication yes
     AuthorizedKeysFile __PROGRAM_DATA__/ssh/administrators_authorized_keys
  1. To update a keyword in a match block:
- type: Microsoft.OpenSSH/SSHDConfig
  properties:
    _scope: "match"
    _criteria:
      user: 
      - admin
    PasswordAuthentication: false

match user admin
     PasswordAuthentication no
     AuthorizedKeysFile __PROGRAM_DATA__/ssh/administrators_authorized_keys
  1. To update all keywords in a match block (purge):
- type: Microsoft.OpenSSH/SSHDConfig
  properties:
    _scope: "match"
    _criteria:
      user: 
      - admin
    _purge: true
    PasswordAuthentication: false

match user admin
     PasswordAuthentication no
  1. To remove the entire match block:
- type: Microsoft.OpenSSH/SSHDConfig.Repeatable
  properties:
    _exist: false
    match:
      - user: 
        - admin

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-EnhancementThe issue is a feature or ideaNeeds Triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions