New Subsystem criteria for Match option block in OpenSSH server

John Olsson M john.m.olsson at ericsson.com
Thu May 24 16:57:50 EST 2012 

>> a system administrator that is configuring the ssh server
>> with the following config lines, for example,
>>
>>   ...
>>   AllowTcpForwarding yes
>>   ...
>>   Match Subsystem sftp
>>     AllowTcpForwarding no
>>
>> "should know what he is doing".
>
> My point is that this is extremely unintuitive and if the
> admin also knows roughly how the SSH protocol works then
> it is directly confusing. I am strongly opposed to
> introducing this kind of indeterministic and inconsequent
> behavior into any program, and into sshd in particular.

Don't you have the same problem with fopr instance other match statements?

What happens if you have

...
AllowTcpForwarding yes
...
Match User foo
  AllowTcpForwarding no

Wouldn't this cause the same behavior? That once user foo logs on TCP forwarding is denied? What is it that makes the subsystem so magical that it suddenly affects the whole server?


/John

-----Original Message-----
From: openssh-unix-dev-bounces+john.m.olsson=ericsson.com at mindrot.org [mailto:openssh-unix-dev-bounces+john.m.olsson=ericsson.com at mindrot.org] On Behalf Of Peter Stuge
Sent: den 23 maj 2012 11:12
To: openssh-unix-dev at mindrot.org
Subject: Re: New Subsystem criteria for Match option block in OpenSSH server

Nicola Muto wrote:
> Sorry guys, there was a misunderstanding due to my wrong words.

Actually I think I understood.


> a system administrator that is configuring the ssh server with the 
> following config lines, for example,
>
>   ...
>   AllowTcpForwarding yes
>   ...
>   Match Subsystem sftp
>     AllowTcpForwarding no
>
> "should know what he is doing".

My point is that this is extremely unintuitive and if the admin also knows roughly how the SSH protocol works then it is directly confusing. I am strongly opposed to introducing this kind of indeterministic and inconsequent behavior into any program, and into sshd in particular.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list