sshd config parser

Senthil Kumar senthilkumar_sen at
Sat Apr 1 22:53:01 EST 2006

Hi Darren,

This is what I need. I have filed an enhancement request for this at

I would prefer to extend the current Host directive for this purpose.

Senthil Kumar.

----- Original Message ----- 
From: "Darren Tucker" <dtucker at>
To: "OpenSSH Devel List" <openssh-unix-dev at>
Sent: Wednesday, March 29, 2006 6:48 PM
Subject: sshd config parser

> Hi All.
> For various reasons, we're currently looking at extending (or even
> overhauling) the config parser used for sshd_config.
> Right now the syntax I'm looking at is a cumulative "Match" keyword that
> matches when all of the specified criteria are met.  This would be
> similar the the Host directive used in ssh_config, although it's still
> limiting (eg you can't easily nest directives).
> "Match" would be first-match, same as ssh_config.  (I think this is
> simpler for both implementation and configuration, but needs more
> careful planning of the directives).
> This would be especially useful with the RequiredAuthentications patch
> in bugzilla, eg:
> # allow anyone to authenticate normally from the local net
> Match Address
> RequiredAuthentications default
> # allow admins from the dmz with pubkey and password
> Match Group admins Address
> RequiredAuthentications publickey,password
> # deny untrusted and local users from any other net
> Match Group untrusted,lusers
> RequiredAuthentications deny
> # anyone else gets normal behaviour
> Match all
> RequiredAuthentications default
> There's also some potential for other things too:
> Match User anoncvs
> PermitTcpForwarding no
> Match Group nosftp
> Subsystem sftp /bin/false
> Anyway, some food for thought.
> -- 
> Darren Tucker (dtucker at
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>    Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list