New Subsystem criteria for Match option block in OpenSSH server

Ben Lindstrom mouring at eviladmin.org
Thu May 24 23:22:41 EST 2012


On May 24, 2012, at 1:57 AM, John Olsson M wrote:

[..]
> Don't you have the same problem with fopr instance other match statements?
> 
> What happens if you have
> 
> ...
> AllowTcpForwarding yes
> ...
> Match User foo
>  AllowTcpForwarding no
> 
> Wouldn't this cause the same behavior? That once user foo logs on TCP forwarding is denied? What is it that makes the subsystem so magical that it suddenly affects the whole server?
> 

Simple answer no.  

Because you can't forward TCP sessions pre-authentication.  And once you have authorized yourself the logic is simple, "Everyone, but foo can forward TCP connections."  Same is true for matching on addresses, groups, and hosts as all of those are static through the session and are known up front.  

- Ben


More information about the openssh-unix-dev mailing list