It would be very nice if it was possible to use the Match configuration directive to also support subsystems, e.g. Match Subsystem sftp ChrootDirectory /path/to/chroot/ This would be very useful when one want to restrict one subsystem to be only able to access a part of the existing filesystem.
At present, this is not possible - the matching happens around authentication time, well before the subsystem is requested. It would be conceivably possible to add another pass through the config file, but it would be pretty confusing since some combinations of options would never make sense. E.g. Match user djm subsystem sftp PasswordAuthentication no ChrootDirectory /blah This could not be evaluated at authentication time and so the PasswordAuthentication directive could not be applied. Another approach might be to have another Match-like keywords that is used just for stuff that happens later (say "SessionMatch") that could therefore have access to session-time information. IMO that's confusing and complicated in its own way too.