Match rules question

Iain Morgan imorgan at nas.nasa.gov
Wed Mar 25 08:38:34 EST 2009


On Tue, Mar 24, 2009 at 14:56:32 -0500, Ben Lindstrom wrote:
> 
> Currently I see that "PubkeyAuthentication" is currently excluded as  
> being usable with the Match command in 5.1 and 5.2.  Is there a reason  
> for this?  There is a discussion in-house where we'd like to do:
> 
> PubkeyAuthentication no
> 
> Match Address [INTERNAL-IP-LIST]
> PubkeyAuthentication Yes
> 

Did you actually test this or are you going by the man page? I don't see
pubkeyauthentication listed as one of the allowed options under the
Match directive, but a glance at servconf.c indicates that it is
supported. Likewise, sshd -t against an sshd_config similar to the one
above does not complain.

This looks to me like it's a documentation bug. In any case, please file
a bug at https://bugzilla.mindrot.org so the issue does not get
forgotten.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list