6 files changed, 314 insertions, 112 deletions

diff --git a/ChangeLog b/ChangeLog
index 2710249f2..5d86e4451 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,18 @@
    - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
      [authfile.c ssh.c]
      need <errno.h> here also (it's also included in <openssl/err.h>)
+   - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
+     [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
+     Add support for conditional directives to sshd_config via a "Match"
+     keyword, which works similarly to the "Host" directive in ssh_config.
+     Lines after a Match line override the default set in the main section
+     if the condition on the Match line is true, eg
+     AllowTcpForwarding yes
+     Match User anoncvs
+             AllowTcpForwarding no
+     will allow port forwarding by all users except "anoncvs".
+     Currently only a very small subset of directives are supported.
+     ok djm@
 
 20060711
  - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
@@ -4892,4 +4904,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4399 2006/07/12 12:24:22 dtucker Exp $
+$Id: ChangeLog,v 1.4400 2006/07/12 12:34:17 dtucker Exp $
diff --git a/auth.c b/auth.c
index e5ddc79da..3bca8dc21 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.70 2006/07/11 20:07:25 stevesk Exp $ */
+/* $OpenBSD: auth.c,v 1.71 2006/07/12 11:34:58 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -467,6 +467,9 @@ getpwnamallow(const char *user)
 #endif
         struct passwd *pw;
 
+        parse_server_match_config(&options, user,
+            get_canonical_hostname(options.use_dns), get_remote_ipaddr());
+
         pw = getpwnam(user);
         if (pw == NULL) {
                 logit("Invalid user %.100s from %.100s",
diff --git a/servconf.c b/servconf.c
index c5b933ab9..42ec340f3 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.152 2006/07/08 21:47:12 stevesk Exp $ */
+/* $OpenBSD: servconf.c,v 1.153 2006/07/12 11:34:58 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -25,12 +25,14 @@
 #include "cipher.h"
 #include "kex.h"
 #include "mac.h"
+#include "match.h"
 
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
 
 /* Use of privilege separation or not */
 extern int use_privsep;
+extern Buffer cfg;
 
 /* Initializes the server options to their default values. */
 
@@ -105,9 +107,6 @@ initialize_server_options(ServerOptions *options)
         options->authorized_keys_file2 = NULL;
         options->num_accept_env = 0;
         options->permit_tun = -1;
-
-        /* Needs to be accessable in many places */
-        use_privsep = -1;
 }
 
 void
@@ -277,110 +276,116 @@ typedef enum {
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+        sMatch,
         sUsePrivilegeSeparation,
         sDeprecated, sUnsupported
 } ServerOpCodes;
 
+#define SSHCFG_GLOBAL   0x01    /* allowed in main section of sshd_config */
+#define SSHCFG_MATCH    0x02    /* allowed inside a Match section */
+#define SSHCFG_ALL      (SSHCFG_GLOBAL|SSHCFG_MATCH)
+
 /* Textual representation of the tokens. */
 static struct {
         const char *name;
         ServerOpCodes opcode;
+        u_int flags;
 } keywords[] = {
         /* Portable-specific options */
 #ifdef USE_PAM
-        { "usepam", sUsePAM },
+        { "usepam", sUsePAM, SSHCFG_GLOBAL },
 #else
-        { "usepam", sUnsupported },
+        { "usepam", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "pamauthenticationviakbdint", sDeprecated },
+        { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
         /* Standard Options */
-        { "port", sPort },
-        { "hostkey", sHostKeyFile },
-        { "hostdsakey", sHostKeyFile },                                 /* alias */
-        { "pidfile", sPidFile },
-        { "serverkeybits", sServerKeyBits },
-        { "logingracetime", sLoginGraceTime },
-        { "keyregenerationinterval", sKeyRegenerationTime },
-        { "permitrootlogin", sPermitRootLogin },
-        { "syslogfacility", sLogFacility },
-        { "loglevel", sLogLevel },
-        { "rhostsauthentication", sDeprecated },
-        { "rhostsrsaauthentication", sRhostsRSAAuthentication },
-        { "hostbasedauthentication", sHostbasedAuthentication },
-        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
-        { "rsaauthentication", sRSAAuthentication },
-        { "pubkeyauthentication", sPubkeyAuthentication },
-        { "dsaauthentication", sPubkeyAuthentication },                 /* alias */
+        { "port", sPort, SSHCFG_GLOBAL },
+        { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
+        { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },          /* alias */
+        { "pidfile", sPidFile, SSHCFG_GLOBAL },
+        { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
+        { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
+        { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
+        { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
+        { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
+        { "loglevel", sLogLevel, SSHCFG_GLOBAL },
+        { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
+        { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
+        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
+        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
+        { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
+        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
+        { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },  /* alias */
 #ifdef KRB5
-        { "kerberosauthentication", sKerberosAuthentication },
-        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
-        { "kerberosticketcleanup", sKerberosTicketCleanup },
+        { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
+        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
+        { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
 #ifdef USE_AFS
-        { "kerberosgetafstoken", sKerberosGetAFSToken },
+        { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
 #else
-        { "kerberosgetafstoken", sUnsupported },
+        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
 #else
-        { "kerberosauthentication", sUnsupported },
-        { "kerberosorlocalpasswd", sUnsupported },
-        { "kerberosticketcleanup", sUnsupported },
-        { "kerberosgetafstoken", sUnsupported },
+        { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "kerberostgtpassing", sUnsupported },
-        { "afstokenpassing", sUnsupported },
+        { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
+        { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 #ifdef GSSAPI
-        { "gssapiauthentication", sGssAuthentication },
-        { "gssapicleanupcredentials", sGssCleanupCreds },
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 #else
-        { "gssapiauthentication", sUnsupported },
-        { "gssapicleanupcredentials", sUnsupported },
+        { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "passwordauthentication", sPasswordAuthentication },
-        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
-        { "challengeresponseauthentication", sChallengeResponseAuthentication },
-        { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
-        { "checkmail", sDeprecated },
-        { "listenaddress", sListenAddress },
-        { "addressfamily", sAddressFamily },
-        { "printmotd", sPrintMotd },
-        { "printlastlog", sPrintLastLog },
-        { "ignorerhosts", sIgnoreRhosts },
-        { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
-        { "x11forwarding", sX11Forwarding },
-        { "x11displayoffset", sX11DisplayOffset },
-        { "x11uselocalhost", sX11UseLocalhost },
-        { "xauthlocation", sXAuthLocation },
-        { "strictmodes", sStrictModes },
-        { "permitemptypasswords", sEmptyPasswd },
-        { "permituserenvironment", sPermitUserEnvironment },
-        { "uselogin", sUseLogin },
-        { "compression", sCompression },
-        { "tcpkeepalive", sTCPKeepAlive },
-        { "keepalive", sTCPKeepAlive },                         /* obsolete alias */
-        { "allowtcpforwarding", sAllowTcpForwarding },
-        { "allowusers", sAllowUsers },
-        { "denyusers", sDenyUsers },
-        { "allowgroups", sAllowGroups },
-        { "denygroups", sDenyGroups },
-        { "ciphers", sCiphers },
-        { "macs", sMacs },
-        { "protocol", sProtocol },
-        { "gatewayports", sGatewayPorts },
-        { "subsystem", sSubsystem },
-        { "maxstartups", sMaxStartups },
-        { "maxauthtries", sMaxAuthTries },
-        { "banner", sBanner },
-        { "usedns", sUseDNS },
-        { "verifyreversemapping", sDeprecated },
-        { "reversemappingcheck", sDeprecated },
-        { "clientaliveinterval", sClientAliveInterval },
-        { "clientalivecountmax", sClientAliveCountMax },
-        { "authorizedkeysfile", sAuthorizedKeysFile },
-        { "authorizedkeysfile2", sAuthorizedKeysFile2 },
-        { "useprivilegeseparation", sUsePrivilegeSeparation},
-        { "acceptenv", sAcceptEnv },
-        { "permittunnel", sPermitTunnel },
-        { NULL, sBadOption }
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+        { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+        { "checkmail", sDeprecated, SSHCFG_GLOBAL },
+        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+        { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+        { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
+        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
+        { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+        { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+        { "x11forwarding", sX11Forwarding, SSHCFG_GLOBAL },
+        { "x11displayoffset", sX11DisplayOffset, SSHCFG_GLOBAL },
+        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_GLOBAL },
+        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
+        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+        { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
+        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
+        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
+        { "compression", sCompression, SSHCFG_GLOBAL },
+        { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
+        { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },  /* obsolete alias */
+        { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
+        { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
+        { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
+        { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
+        { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
+        { "ciphers", sCiphers, SSHCFG_GLOBAL },
+        { "macs", sMacs, SSHCFG_GLOBAL },
+        { "protocol", sProtocol, SSHCFG_GLOBAL },
+        { "gatewayports", sGatewayPorts, SSHCFG_ALL },
+        { "subsystem", sSubsystem, SSHCFG_GLOBAL },
+        { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
+        { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
+        { "banner", sBanner, SSHCFG_GLOBAL },
+        { "usedns", sUseDNS, SSHCFG_GLOBAL },
+        { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+        { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+        { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
+        { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
+        { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
+        { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+        { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+        { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
+        { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
 };
 
 /*
@@ -389,13 +394,15 @@ static struct {
 
 static ServerOpCodes
 parse_token(const char *cp, const char *filename,
-            int linenum)
+            int linenum, u_int *flags)
 {
         u_int i;
 
         for (i = 0; keywords[i].name; i++)
-                if (strcasecmp(cp, keywords[i].name) == 0)
+                if (strcasecmp(cp, keywords[i].name) == 0) {
+                        *flags = keywords[i].flags;
                         return keywords[i].opcode;
+                }
 
         error("%s: line %d: Bad configuration option: %s",
             filename, linenum, cp);
@@ -440,15 +447,112 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
         options->listen_addrs = aitop;
 }
 
+/*
+ * The strategy for the Match blocks is that the config file is parsed twice.
+ *
+ * The first time is at startup.  activep is initialized to 1 and the
+ * directives in the global context are processed and acted on.  Hitting a
+ * Match directive unsets activep and the directives inside the block are
+ * checked for syntax only.
+ *
+ * The second time is after a connection has been established but before
+ * authentication.  activep is initialized to 2 and global config directives
+ * are ignored since they have already been processed.  If the criteria in a
+ * Match block is met, activep is set and the subsequent directives
+ * processed and actioned until EOF or another Match block unsets it.  Any
+ * options set are copied into the main server config.
+ *
+ * Potential additions/improvements:
+ *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
+ *
+ *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
+ *      Match Address 192.168.0.*
+ *              Tag trusted
+ *      Match Group wheel
+ *              Tag trusted
+ *      Match Tag trusted
+ *              AllowTcpForwarding yes
+ *              GatewayPorts clientspecified
+ *              [...]
+ *
+ *  - Add a PermittedChannelRequests directive
+ *      Match Group shell
+ *              PermittedChannelRequests session,forwarded-tcpip
+ */
+
+static int
+match_cfg_line(char **condition, int line, const char *user, const char *host,
+    const char *address)
+{
+        int result = 1;
+        char *arg, *attrib, *cp = *condition;
+        size_t len;
+
+        if (user == NULL)
+                debug3("checking syntax for 'Match %s'", cp);
+        else
+                debug3("checking match for '%s' user %s host %s addr %s", cp,
+                    user ? user : "(null)", host ? host : "(null)",
+                    address ? address : "(null)");
+
+        while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+                if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
+                        error("Missing Match criteria for %s", attrib);
+                        return -1;
+                }
+                len = strlen(arg);
+                if (strcasecmp(attrib, "user") == 0) {
+                        if (!user) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_pattern_list(user, arg, len, 0) != 1)
+                                result = 0;
+                        else
+                                debug("user %.100s matched 'User %.100s' at "
+                                    "line %d", user, arg, line);
+                } else if (strcasecmp(attrib, "host") == 0) {
+                        if (!host) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_hostname(host, arg, len) != 1)
+                                result = 0;
+                        else
+                                debug("connection from %.100s matched 'Host "
+                                    "%.100s' at line %d", host, arg, line);
+                } else if (strcasecmp(attrib, "address") == 0) {
+                        debug("address '%s' arg '%s'", address, arg);
+                        if (!address) {
+                                result = 0;
+                                continue;
+                        }
+                        if (match_hostname(address, arg, len) != 1)
+                                result = 0;
+                        else
+                                debug("connection from %.100s matched 'Address "
+                                    "%.100s' at line %d", address, arg, line);
+                } else {
+                        error("Unsupported Match attribute %s", attrib);
+                        return -1;
+                }
+        }
+        if (user != NULL)
+                debug3("match %sfound", result ? "" : "not ");
+        *condition = cp;
+        return result;
+}
+
 int
 process_server_config_line(ServerOptions *options, char *line,
-    const char *filename, int linenum)
+    const char *filename, int linenum, int *activep, const char *user,
+    const char *host, const char *address)
 {
         char *cp, **charptr, *arg, *p;
-        int *intptr, value, n;
+        int cmdline = 0, *intptr, value, n;
         ServerOpCodes opcode;
         u_short port;
-        u_int i;
+        u_int i, flags = 0;
         size_t len;
 
         cp = line;
@@ -461,7 +565,25 @@ process_server_config_line(ServerOptions *options, char *line,
                 return 0;
         intptr = NULL;
         charptr = NULL;
-        opcode = parse_token(arg, filename, linenum);
+        opcode = parse_token(arg, filename, linenum, &flags);
+
+        if (activep == NULL) { /* We are processing a command line directive */
+                cmdline = 1;
+                activep = &cmdline;
+        }
+        if (*activep && opcode != sMatch)
+                debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
+        if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
+                if (user == NULL) {
+                        fatal("%s line %d: Directive '%s' is not allowed "
+                            "within a Match block", filename, linenum, arg);
+                } else { /* this is a directive we have already processed */
+                        while (arg)
+                                arg = strdelim(&cp);
+                        return 0;
+                }
+        }
+
         switch (opcode) {
         /* Portable-specific options */
         case sUsePAM:
@@ -499,7 +621,7 @@ parse_int:
                         fatal("%s line %d: missing integer value.",
                             filename, linenum);
                 value = atoi(arg);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -579,7 +701,7 @@ parse_filename:
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: missing file name.",
                             filename, linenum);
-                if (*charptr == NULL) {
+                if (*activep && *charptr == NULL) {
                         *charptr = tilde_expand_filename(arg, getuid());
                         /* increase optional counter */
                         if (intptr != NULL)
@@ -630,7 +752,7 @@ parse_flag:
                 else
                         fatal("%s line %d: Bad yes/no argument: %s",
                                 filename, linenum, arg);
-                if (*intptr == -1)
+                if (*activep && *intptr == -1)
                         *intptr = value;
                 break;
 
@@ -895,6 +1017,10 @@ parse_flag:
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: Missing subsystem name.",
                             filename, linenum);
+                if (!*activep) {
+                        arg = strdelim(&cp);
+                        break;
+                }
                 for (i = 0; i < options->num_subsystems; i++)
                         if (strcmp(arg, options->subsystem_name[i]) == 0)
                                 fatal("%s line %d: Subsystem '%s' already defined.",
@@ -977,6 +1103,8 @@ parse_flag:
                         if (options->num_accept_env >= MAX_ACCEPT_ENV)
                                 fatal("%s line %d: too many allow env.",
                                     filename, linenum);
+                        if (!*activep)
+                                break;
                         options->accept_env[options->num_accept_env++] =
                             xstrdup(arg);
                 }
@@ -1004,6 +1132,17 @@ parse_flag:
                         *intptr = value;
                 break;
 
+        case sMatch:
+                if (cmdline)
+                        fatal("Match directive not supported as a command-line "
+                           "option");
+                value = match_cfg_line(&cp, linenum, user, host, address);
+                if (value < 0)
+                        fatal("%s line %d: Bad Match condition", filename,
+                            linenum);
+                *activep = value;
+                break;
+
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
@@ -1060,18 +1199,41 @@ load_server_config(const char *filename, Buffer *conf)
 }
 
 void
-parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
+parse_server_match_config(ServerOptions *options, const char *user,
+    const char *host, const char *address)
+{
+        ServerOptions mo;
+
+        initialize_server_options(&mo);
+        parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
+        copy_set_server_options(options, &mo);
+}
+
+/* Copy any (supported) values that are set */
+void
+copy_set_server_options(ServerOptions *dst, ServerOptions *src)
+{
+        if (src->allow_tcp_forwarding != -1)
+                dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
+        if (src->gateway_ports != -1)
+                dst->gateway_ports = src->gateway_ports;
+}
+
+void
+parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
+    const char *user, const char *host, const char *address)
 {
-        int linenum, bad_options = 0;
+        int active, linenum, bad_options = 0;
         char *cp, *obuf, *cbuf;
 
         debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
 
         obuf = cbuf = xstrdup(buffer_ptr(conf));
+        active = user ? 0 : 1;
         linenum = 1;
         while ((cp = strsep(&cbuf, "\n")) != NULL) {
                 if (process_server_config_line(options, cp, filename,
-                    linenum++) != 0)
+                    linenum++, &active, user, host, address) != 0)
                         bad_options++;
         }
         xfree(obuf);
diff --git a/servconf.h b/servconf.h
index 671050e4c..a74716e6f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.74 2006/07/06 10:47:05 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -142,8 +142,13 @@ typedef struct {
 
 void     initialize_server_options(ServerOptions *);
 void     fill_default_server_options(ServerOptions *);
-int      process_server_config_line(ServerOptions *, char *, const char *, int);
+int      process_server_config_line(ServerOptions *, char *, const char *, int,
+             int *, const char *, const char *, const char *);
 void     load_server_config(const char *, Buffer *);
-void     parse_server_config(ServerOptions *, const char *, Buffer *);
+void     parse_server_config(ServerOptions *, const char *, Buffer *,
+             const char *, const char *, const char *);
+void     parse_server_match_config(ServerOptions *, const char *, const char *,
+             const char *);
+void     copy_set_server_options(ServerOptions *, ServerOptions *);
 
 #endif                          /* SERVCONF_H */
diff --git a/sshd.c b/sshd.c
index f3fe9d184..497525df8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.336 2006/07/11 20:07:25 stevesk Exp $ */
+/* $OpenBSD: sshd.c,v 1.337 2006/07/12 11:34:58 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -219,12 +219,15 @@ int *startup_pipes = NULL;
 int startup_pipe;               /* in child */
 
 /* variables used for privilege separation */
-int use_privsep;
+int use_privsep = -1;
 struct monitor *pmonitor = NULL;
 
 /* global authentication context */
 Authctxt *the_authctxt = NULL;
 
+/* sshd_config buffer */
+Buffer cfg;
+
 /* message to be displayed after login */
 Buffer loginmsg;
 
@@ -916,7 +919,6 @@ main(int ac, char **av)
         Key *key;
         Authctxt *authctxt;
         int ret, key_used = 0;
-        Buffer cfg;
 
 #ifdef HAVE_SECUREWARE
         (void)set_auth_parameters(ac, av);
@@ -1036,7 +1038,7 @@ main(int ac, char **av)
                 case 'o':
                         line = xstrdup(optarg);
                         if (process_server_config_line(&options, line,
-                            "command-line", 0) != 0)
+                            "command-line", 0, NULL, NULL, NULL, NULL) != 0)
                                 exit(1);
                         xfree(line);
                         break;
@@ -1094,11 +1096,8 @@ main(int ac, char **av)
         else
                 load_server_config(config_file_name, &cfg);
 
-        parse_server_config(&options,
-            rexeced_flag ? "rexec" : config_file_name, &cfg);
-
-        if (!rexec_flag)
-                buffer_free(&cfg);
+        parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+            &cfg, NULL, NULL, NULL);
 
         seed_rng();
 
diff --git a/sshd_config.5 b/sshd_config.5
index 3b639b17d..0b2646027 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.59 2006/07/06 10:47:05 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.60 2006/07/12 11:34:58 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -463,6 +463,27 @@ for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is:
 .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.It Cm Match
+Introduces a conditional block.  Keywords on lines following a
+.Cm Match
+block are only applied if all of the criteria on the
+.Cm Match
+are satisfied.
+The the arguments to
+.Cm Match
+block are one or more criteria-pattern pairs.
+The available criteria are
+.Cm User ,
+.Cm Host ,
+and
+.Cm Address .
+Only a subset of keywords may be used on the lines following a
+.Cm Match
+keyword.
+Available keywords are
+.Cm AllowTcpForwarding ,
+and
+.Cm GatewayPorts .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.