sshd config parser

Darren Tucker dtucker at
Wed Apr 5 07:55:47 EST 2006

Jefferson Ogata wrote:
> On 04/01/2006 09:43 PM, Darren Tucker wrote:
>> Here's an updated patch.  It's not actually as big as it looks as nearly
>> half of it as adding a flag to the keyword struct and large comment.
>> The supported Match directives are User, Group, Host and Address.
> Overall I'm liking this a lot--it addresses some needs I've had for a
> long time.
> Couple of silly questions; sorry if I missed the answer to these:
> 1. Why the "Match" keyword. Why not just "Host" or "User
> bozo"?

It's simpler to write that way.  There's only one additional keyword,
and that keyword can support multiple criteria (ie the conditions on a
Match line are a logical AND).

This lets you do things like "Match Group trusted Host 192.168.0.*"
which would match only members of the "trusted" group connecting from

Without "Match", each condition would be a keyword in its own right.
Matching on multiple conditions would either not be supported, or each
keyword would need to explicitly check for other criteria.

> 2. How does "Host" with wildcards interact with DNS? E.g. will "Host
> 192.168.0.*" match 192.168.0.evil.domain?

It would, which is why...

> 3. What is "Address"?

Source address of the connection.

I don't like the way the existing match functionality conflates hostname
and address because it causes potential problems like #2 above.

> 4. What about CIDR notation?

No supported yet but planned.  It's a straightforward extension of the
existing address matching code (it's orthogonal to the Match keyword
stuff so it should also work for existing matching directive such as

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list