Feedback regarding the ssh(1) Match directive

Iain Morgan imorgan at nas.nasa.gov
Fri Oct 18 12:15:24 EST 2013


Hi,

I noticed the recent commit adding Match support to ssh(1). I look
forward to giving it a try, but I have some initial feedback based on
ssh_config.5 and an examiniation of match_cfg_line().

First, the "command" keyword could be a little deceptive. Although the
man page makes the use of this keyword quite clear, my initial
assumption was that the intent was to match against the remote command
that is being requested. That would seem to be a more natural
interpretation of this keyword. Instead it is an arbitrary local test.
Perhaps "localtest" would be a better choice for the keyword.

There are cases where it would be useful to match on the requested command,
to select a different public key or possibly use a different port. For
example, I use one key for CVS operations against a local server, where
the key is restricted to "cvs server," and a different key for shell
logins to that same server. Currently, I manage this by using different
hostnames, but I was hoping that the Match directive would provide a
cleaner approach.

Also, the man page does not document any of the percent macros supported
by teh command keyword.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list