I would like to understand why these three rules in sshd_config behave differently :
Match host localhost
PasswordAuthentication yes
Match address 127.0.0.1
PasswordAuthentication yes
Match address ::1
PasswordAuthentication yes
Assume one of these rules is set on machine A and there is also another machine B which can locally ssh to A through one of these 3 tunnels :
A$ ssh B -R2222:localhost:22
A$ ssh B -R2222:127.0.0.1:22
A$ ssh B -R2222:[::1]:22
To test on machine A, I use :
A$ ssh localhost
A$ ssh 127.0.0.1
A$ ssh ::1
And for each tunnel setting I test on B:
B$ ssh -p2222 localhost
B$ ssh -p2222 127.0.0.1
B$ ssh -p2222 ::1
(only one tunnel is active at the same time)
If it asks for password there is a match, else there is no match. There are 3*(3+3*3)=36 tests. For each 3 different Match rules there are 3 tests on A and 3 tests on B for each 3 different tunnels. Aka 12 tests for each rule.
Results:
For Match host localhost there are 12/12 matches (always asks for password).
For Match address 127.0.0.1 there are 4/12 matches : 1/3 match for machine A with A$ ssh 127.0.0.1 and 3/3 matches for machine B when tunnel is set by A$ ssh B -R2222:127.0.0.1:22
For Match address ::1 there are 8/12 matches, aka 4 fails : 1/3 fail for A with A$ ssh 127.0.0.1 and 3/3 fails for B when tunnel is set by A$ ssh B -R2222:127.0.0.1:22
Obviously with rule Match address 127.0.0.1,::1 all combinations will be matched.
However I don't understand how this works, especially why address localhost is matched by rule ::1 and not by rule 127.0.0.1, and why address 127.0.0.1 (resp. ::1) can be matched by rule ::1 (resp. 127.0.0.1) only remotely and not locally ?
