From 53029619298c1f39d8f5317a52c0abd70fed4bee Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 1 Feb 2021 11:54:36 -0800
Subject: [PATCH] Add Match all to sshd host template

---
 authority/ssh_test.go                        | 2 +-
 authority/testdata/templates/sshd_config.tpl | 3 ++-
 templates/values.go                          | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/authority/ssh_test.go b/authority/ssh_test.go
index b5cce1fd..f7316103 100644
--- a/authority/ssh_test.go
+++ b/authority/ssh_test.go
@@ -450,7 +450,7 @@ func TestAuthority_GetSSHConfig(t *testing.T) {
 		{Name: "config.tpl", Type: templates.File, Comment: "#", Path: "ssh/config", Content: []byte("Match exec \"step ssh check-host %h\"\n\tUserKnownHostsFile /home/user/.step/ssh/known_hosts\n\tProxyCommand step ssh proxycommand %r %h %p\n")},
 	}
 	hostOutputWithUserData := []templates.Output{
-		{Name: "sshd_config.tpl", Type: templates.File, Comment: "#", Path: "/etc/ssh/sshd_config", Content: []byte("TrustedUserCAKeys /etc/ssh/ca.pub\nHostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub\nHostKey /etc/ssh/ssh_host_ecdsa_key")},
+		{Name: "sshd_config.tpl", Type: templates.File, Comment: "#", Path: "/etc/ssh/sshd_config", Content: []byte("Match all\nTrustedUserCAKeys /etc/ssh/ca.pub\nHostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub\nHostKey /etc/ssh/ssh_host_ecdsa_key")},
 	}
 
 	tmplConfigErr := &templates.Templates{
diff --git a/authority/testdata/templates/sshd_config.tpl b/authority/testdata/templates/sshd_config.tpl
index 5ce01fc4..ab4ddec6 100644
--- a/authority/testdata/templates/sshd_config.tpl
+++ b/authority/testdata/templates/sshd_config.tpl
@@ -1,3 +1,4 @@
+Match all
 TrustedUserCAKeys /etc/ssh/ca.pub
 HostCertificate /etc/ssh/{{.User.Certificate}}
-HostKey /etc/ssh/{{.User.Key}}
\ No newline at end of file
+HostKey /etc/ssh/{{.User.Key}}
diff --git a/templates/values.go b/templates/values.go
index fd4ee4c2..7a92ddfc 100644
--- a/templates/values.go
+++ b/templates/values.go
@@ -99,7 +99,8 @@ var DefaultSSHTemplateData = map[string]string{
 `,
 
 	// sshd_config.tpl adds the configuration to support certificates
-	"sshd_config.tpl": `TrustedUserCAKeys /etc/ssh/ca.pub
+	"sshd_config.tpl": `Match all
+TrustedUserCAKeys /etc/ssh/ca.pub
 HostCertificate /etc/ssh/{{.User.Certificate}}
 HostKey /etc/ssh/{{.User.Key}}`,