New Subsystem criteria for Match option block in OpenSSH server

[Ben Lindstrom]

On May 23, 2012, at 8:31 AM, Nicola Muto wrote:

> Ok Darren, you confirmed my doubts about adding Match-Subsystem
> option to sshd, most of all for the ChrootDirectory+PrivilegeSeparation
> problem.
> 
> Now I have a question. What's that sounds bad, the implementation of the
> patch or the Match-Subsystem idea itself?
> In other words. Is it possible to solve all of these issues providing another
> implementation? Am I doing something wrong or forgetting something?
> 
> If so, a new implementation should be not so simple and have heavy impacts
> on the source. Moreover, I think that the Peter's issue can't be solved
> by whatever implementation is proposed. Am I right?

I'm not sure any patch would be acceptable.  The heart of the issue is simple:

Setup a ControlMaster,  start a shell connection to the server,  then start
a sftp connection reusing that control.  If you set anything like "don't allow
forward, etc"  now forward is disabled for the shell and for sftp.   This isn't
logical behavior that someone would expect unless they understood the
ssh protocol.

So unless you limit the protocol so you can only setup a single session type
(subsystem, shell, etc) per connection then I can't see how this is a sane 
feature for admins to wrap their heads around.

- Ben