Add new option ssh_server_match_address

[MatthiasLohr]

Is your feature request related to a problem? Please describe.
In my opinion it is a questionable design decision to write the sshd_custom_options at the beginning of the configuration file. Normally you try to overwrite things that the Playbook doesn't offer so far. Example:

Match Address 10.196.1.0/24
  PermitRootLogin yes
  PasswordAuthentication yes

This does not work, because the later occurring global PermitRootLogin no overwrites this again.

Describe the solution you'd like
There are already workarounds for Match User/Match Group, it would be great if you could introduce them for Match Address as well.

Describe alternatives you've considered
Another possibility, which I think should be offered anyway, would be the support for custom options at the end of the configuration file.

Best regards
Matthias

[MatthiasLohr]

Implemented by #231.

[rndmh3ro]

Hey @MatthiasLohr,

sshd uses the first found option in its configuration, later found options are discarded. So if you have this in your config:

AddressFamily inet
AddressFamily any

the resulting option will be AddressFamily inet. That's why the sshd_custom_options is at the beginning of the file - to make it possible to override all options. Match options are an exception here as they should be a the end of the file according to the manpage:

     Match   Introduces a conditional block.  If all of the criteria on the Match line are
             satisfied, the keywords on the following lines override those set in the global
             section of the config file, until either another Match line or the end of the file.
             If a keyword appears in multiple Match blocks that are satisfied, only the first
             instance of the keyword is applied.

This does not work, because the later occurring global PermitRootLogin no overwrites this again.

This should not be happening.