[Bug 3763] New: Clarify Match criteria in sshd_config(5)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Dec 9 03:26:33 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3763

            Bug ID: 3763
           Summary: Clarify Match criteria in sshd_config(5)
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: chris at chrullrich.net

(This is based on the text currently available at
https://man.openbsd.org/sshd_config, which looks rather similar to the
mandoc source in CVSweb.)

>From the sshd_config(5) man page's section on Match:

> The available criteria are User, Group, Host, LocalAddress,
> LocalPort, RDomain, and Address

The manual does not explain what each of these criteria matches
against.

Most of them are fairly simple, I think, but correct me (and the man
page) if I'm wrong:

- User: The user attempting to connect
- Group: Any group containing the user attempting to connect
- Host: The connecting host
- LocalAddress: The local address receiving the connection
- LocalPort: The local port receiving the connection
- RDomain: Some OpenBSD thing I'm not conversant with, but that
  is probably obvious to anyone familiar with the concept

What is not clear to me is what "Address" does. I think it compares
against the incoming connection's source address, but this detail is
not explicitly mentioned anywhere. The difference from Host is probably
that

- Host performs a "glob-style" match against both the source address
  and, if enabled and successful, the resolved host name;

- Address can compare the source address for address equality (without
  netmask) or for subnet equality (with netmask), and the use of
  "additionally" in its description means that it can also do the
  same "glob-style" string match as Host.

It should be made clearer what each of the available criteria compares
against, and how.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list