sshd config parser

Darren Tucker dtucker at
Thu Mar 30 00:18:04 EST 2006

Hi All.

For various reasons, we're currently looking at extending (or even
overhauling) the config parser used for sshd_config.

Right now the syntax I'm looking at is a cumulative "Match" keyword that
matches when all of the specified criteria are met.  This would be
similar the the Host directive used in ssh_config, although it's still
limiting (eg you can't easily nest directives).

"Match" would be first-match, same as ssh_config.  (I think this is
simpler for both implementation and configuration, but needs more
careful planning of the directives).

This would be especially useful with the RequiredAuthentications patch
in bugzilla, eg:

# allow anyone to authenticate normally from the local net
Match Address
	RequiredAuthentications default

# allow admins from the dmz with pubkey and password
Match Group admins Address
	RequiredAuthentications publickey,password

# deny untrusted and local users from any other net
Match Group untrusted,lusers
	RequiredAuthentications deny

# anyone else gets normal behaviour
Match all
	RequiredAuthentications default

There's also some potential for other things too:

Match User anoncvs
	PermitTcpForwarding no

Match Group nosftp
	Subsystem sftp /bin/false

Anyway, some food for thought.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list