New Subsystem criteria for Match option block in OpenSSH server

John Olsson M john.m.olsson at ericsson.com
Wed May 23 13:37:16 EST 2012


> The discussion has nothing to do with you or the needs of Ericsson.
> OpenSSH behaving like the above would be absolutely retarded.

I agree!


>> would allow port fowarding until you sent an sftp subsystem request.

My interpretation (as an end user) of the construct shown below is that AllowTcpForwarding is not allowed for the SFTP subsystem, that is if you connect to the server using the SFTP subsystem. All other connection requests for other subsystems would still allow port forwarding.

Now I do not now how much sense the above makes.

Perhaps one should define a list of configuration statements that acts as a nop (no operation) when a match agaginst subsystem is done?


/John
________________________________________
From: openssh-unix-dev-bounces+john.m.olsson=ericsson.com at mindrot.org [openssh-unix-dev-bounces+john.m.olsson=ericsson.com at mindrot.org] On Behalf Of Peter Stuge [peter at stuge.se]
Sent: Wednesday, May 23, 2012 02:14
To: openssh-unix-dev at mindrot.org
Subject: Re: New Subsystem criteria for Match option block in OpenSSH server

Nicola Muto wrote:
>> This reparsing could also change the server state in unexpected ways,
>> for example:
>>
>> AllowTcpForwarding yes
>> Match Subsystem sftp
>>      AllowTcpForwarding no
>>
>> would allow port fowarding until you sent an sftp subsystem request.
>
> Sorry Darren, but that's exactly what I expect the ssh server should
> do, reading this config. So I know what I'm doing with this kind of
> configuration.

The discussion has nothing to do with you or the needs of Ericsson.
OpenSSH behaving like the above would be absolutely retarded.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list