hi folks-- Can a Match block cover a Subsystem directive in sftp? https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 suggests that Match can cover Subsystem, but sshd_config (at least, in 5.5p1) doesn't mention Subsystem within the description of Match. What should administrators expect? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20101213/0b1c0641/attachment.bin>
On Mon, Dec 13, 2010 at 13:00:55 -0600, Daniel Kahn Gillmor wrote:> hi folks-- > > Can a Match block cover a Subsystem directive in sftp? > > https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 > > suggests that Match can cover Subsystem, but sshd_config (at least, in > 5.5p1) doesn't mention Subsystem within the description of Match. > > What should administrators expect? > > --dkg >No, the Subsystem directive is not supported under Match blocks. You can check this in servconf.c. Look for the definition of the keywords array. The third field in each entry indicates whether the option is supported in Match blocks or not. For those that are, you will normally see SSHCFG_ALL. In the case of Subsystem, it is SSHCFG_GLOBAL which means it is only supported in the global section. -- Iain Morgan
On 14/12/10 6:00 AM, Daniel Kahn Gillmor wrote:> hi folks-- > > Can a Match block cover a Subsystem directive in sftp? > > https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 > > suggests that Match can cover Subsystem, but sshd_config (at least, in > 5.5p1) doesn't mention Subsystem within the description of Match.Right now Subsystem is only allowed in global scope ie not in a Match block. We only implemented the things that had a plausible use case to keep the number of permutations down. Is there a plausible use case for this?> What should administrators expect?That the documentation is accurate :-) (and if it's not, that it's a reportable bug) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Possibly Parallel Threads
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- request: add IP address to a log message to allow blocking
- [Bug 1777] New: KnownHostsCommand
- Match vs. ChallengeResponseAuthentication?
- ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)