Bug 1975

Summary: Support for Match configuration directive to also include subsystems
Product: Portable OpenSSH Reporter: John Olsson <john.gm.olsson>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: djm
Priority: P2    
Version: 5.9p1   
Hardware: All   
OS: All   

Description John Olsson 2012-02-02 01:32:51 AEDT 
It would be very nice if it was possible to use the Match configuration directive to also support subsystems, e.g.

Match Subsystem sftp
	ChrootDirectory /path/to/chroot/

This would be very useful when one want to restrict one subsystem to be only able to access a part of the existing filesystem.
Comment 1 Damien Miller 2014-02-13 11:08:02 AEDT 
At present, this is not possible - the matching happens around authentication time, well before the subsystem is requested.

It would be conceivably possible to add another pass through the config file, but it would be pretty confusing since some combinations of options would never make sense. E.g.

Match user djm subsystem sftp
    PasswordAuthentication no
    ChrootDirectory /blah

This could not be evaluated at authentication time and so the PasswordAuthentication directive could not be applied.

Another approach might be to have another Match-like keywords that is used just for stuff that happens later (say "SessionMatch") that could therefore have access to session-time information. IMO that's confusing and complicated in its own way too.