[Bug 3763] New: Clarify Match criteria in sshd_config(5)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Dec 9 03:26:33 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3763
Bug ID: 3763
Summary: Clarify Match criteria in sshd_config(5)
Product: Portable OpenSSH
Version: 9.9p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Documentation
Assignee: unassigned-bugs at mindrot.org
Reporter: chris at chrullrich.net
(This is based on the text currently available at
https://man.openbsd.org/sshd_config, which looks rather similar to the
mandoc source in CVSweb.)
>From the sshd_config(5) man page's section on Match:
> The available criteria are User, Group, Host, LocalAddress,
> LocalPort, RDomain, and Address
The manual does not explain what each of these criteria matches
against.
Most of them are fairly simple, I think, but correct me (and the man
page) if I'm wrong:
- User: The user attempting to connect
- Group: Any group containing the user attempting to connect
- Host: The connecting host
- LocalAddress: The local address receiving the connection
- LocalPort: The local port receiving the connection
- RDomain: Some OpenBSD thing I'm not conversant with, but that
is probably obvious to anyone familiar with the concept
What is not clear to me is what "Address" does. I think it compares
against the incoming connection's source address, but this detail is
not explicitly mentioned anywhere. The difference from Host is probably
that
- Host performs a "glob-style" match against both the source address
and, if enabled and successful, the resolved host name;
- Address can compare the source address for address equality (without
netmask) or for subnet equality (with netmask), and the use of
"additionally" in its description means that it can also do the
same "glob-style" string match as Host.
It should be made clearer what each of the available criteria compares
against, and how.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list