Should Subsystem work in a Match block?
Darren Tucker
dtucker at zip.com.au
Tue Dec 14 12:30:41 EST 2010
On 14/12/10 9:13 AM, Darren Tucker wrote:
> On 14/12/10 6:00 AM, Daniel Kahn Gillmor wrote:
>> Can a Match block cover a Subsystem directive in sftp?
[...]
>
> Right now Subsystem is only allowed in global scope ie not in a Match
> block.
Also, since Subsystem is actually a list of name/executable pairs, it's
not clear what the semantics of Match+Subsystem should be.
Subsystem sftp foo
Match User fred
Subsystem sftp bar
the intent here seems to be to replace the the "sftp" subsystem with
"bar" for fred.
Subsystem sftp foo
Match User fred
Subsystem bar baz
The intent here isn't clear: is sftp supposed to work for fred or not?
The way other list things work is that using "none" clears the list so
something like this is feasible:
Subsystem sftp foo
Match User fred
Subsystem none
Subsystem bar baz
although I suspect it's not obvious if you don't know the implementation.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list