New Subsystem criteria for Match option block in OpenSSH server

Nicola Muto nicola.muto at cryptolab.net
Wed May 23 18:11:18 EST 2012


Sorry guys, there was a misunderstanding due to my wrong words.

Instead, what I wanted to say is that a system administrator that is
configuring the ssh server with the following config lines, for 
example,

   ...
   AllowTcpForwarding yes
   ...
   Match Subsystem sftp
     AllowTcpForwarding no

"should know what he is doing". That is, the AllowTcpForwarding option 
put at
global level is active until a client sent an sftp subsystem request.
This is what comes out by reading the above configuration file; I 
think.

Sorry again, I'm disappointed.

\\nm


On 2012-05-23 00:14, Peter Stuge wrote:
> Nicola Muto wrote:
>>> This reparsing could also change the server state in unexpected 
>>> ways,
>>> for example:
>>>
>>> AllowTcpForwarding yes
>>> Match Subsystem sftp
>>> 	AllowTcpForwarding no
>>>
>>> would allow port fowarding until you sent an sftp subsystem 
>>> request.
>>
>> Sorry Darren, but that's exactly what I expect the ssh server should
>> do, reading this config. So I know what I'm doing with this kind of
>> configuration.
>
> The discussion has nothing to do with you or the needs of Ericsson.
> OpenSSH behaving like the above would be absolutely retarded.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list