New Subsystem criteria for Match option block in OpenSSH server

[Ángel González]

On 23/05/12 15:31, Nicola Muto wrote:
> Ok Darren, you confirmed my doubts about adding Match-Subsystem
> option to sshd, most of all for the ChrootDirectory+PrivilegeSeparation
> problem.
>
> Now I have a question. What's that sounds bad, the implementation of the
> patch or the Match-Subsystem idea itself?
> In other words. Is it possible to solve all of these issues providing
> another
> implementation? Am I doing something wrong or forgetting something?
>
> If so, a new implementation should be not so simple and have heavy
> impacts
> on the source. Moreover, I think that the Peter's issue can't be solved
> by whatever implementation is proposed. Am I right?
>
> If not then the Match-Subsystem solution itself sounds not a good idea.
>
> Please, let me know what you think about. Thank you in advance.
After reading Peter and Darren replies, I agree with them that a
Subsystem match to set forwarding makes no sense.

OTOH, I think you should be setting them globally.

Where you requested this setup:
>   Match Subsystem sftp
>       ChrootDirectory /path/to/sftp/data/jail/on/the/server
>       X11Forwarding no
>       AllowTcpForwarding no
>       ForceCommand internal-sftp 


What you need is probably this:
>   X11Forwarding no
>   AllowTcpForwarding no 
>   Match Subsystem sftp
>       ChrootDirectory /path/to/sftp/data/jail/on/the/server
>       ForceCommand internal-sftp 

Chroot and executed command *are* a property of the subsystem. It's a
bit weird to have different chroots, but that's what you require.
No special reason to use ForceCommand instead of "Subsystem sftp
internal-sftp", though.