New Subsystem criteria for Match option block in OpenSSH server

[Peter Stuge]

Nicola Muto wrote:
> Sorry guys, there was a misunderstanding due to my wrong words.

Actually I think I understood.


> a system administrator that is configuring the ssh server with the
> following config lines, for example,
>
>   ...
>   AllowTcpForwarding yes
>   ...
>   Match Subsystem sftp
>     AllowTcpForwarding no
>
> "should know what he is doing".

My point is that this is extremely unintuitive and if the admin also
knows roughly how the SSH protocol works then it is directly
confusing. I am strongly opposed to introducing this kind of
indeterministic and inconsequent behavior into any program, and
into sshd in particular.


//Peter