sshd config parser
Darren Tucker
dtucker at zip.com.au
Wed Apr 5 07:55:47 EST 2006
Jefferson Ogata wrote:
> On 04/01/2006 09:43 PM, Darren Tucker wrote:
>> Here's an updated patch. It's not actually as big as it looks as nearly
>> half of it as adding a flag to the keyword struct and large comment.
>>
>> The supported Match directives are User, Group, Host and Address.
>
> Overall I'm liking this a lot--it addresses some needs I've had for a
> long time.
>
> Couple of silly questions; sorry if I missed the answer to these:
>
> 1. Why the "Match" keyword. Why not just "Host foo.example.com" or "User
> bozo"?
It's simpler to write that way. There's only one additional keyword,
and that keyword can support multiple criteria (ie the conditions on a
Match line are a logical AND).
This lets you do things like "Match Group trusted Host 192.168.0.*"
which would match only members of the "trusted" group connecting from
192.168.0.0/24.
Without "Match", each condition would be a keyword in its own right.
Matching on multiple conditions would either not be supported, or each
keyword would need to explicitly check for other criteria.
> 2. How does "Host" with wildcards interact with DNS? E.g. will "Host
> 192.168.0.*" match 192.168.0.evil.domain?
It would, which is why...
> 3. What is "Address"?
Source address of the connection.
I don't like the way the existing match functionality conflates hostname
and address because it causes potential problems like #2 above.
> 4. What about CIDR notation?
No supported yet but planned. It's a straightforward extension of the
existing address matching code (it's orthogonal to the Match keyword
stuff so it should also work for existing matching directive such as
AllowUsers).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list