From: djm@openbsd.org <djm@openbsd.org>
Date: Fri, 19 Dec 2025 00:48:47 +0000 (+0000)
Subject: upstream: check that invalid subsystem directives inside Match
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81e5bb8d93f2d8361bd7f4b034044ad8ee4ded0e;p=thirdparty%2Fopenssh-portable.git

upstream: check that invalid subsystem directives inside Match

blocks are noticed at startup; bz#3906

OpenBSD-Regress-ID: b9171bde4cc24757a826b3da0e9eadc33995a453
---

diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 8b9d80f0a..aa59f9149 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cfgmatch.sh,v 1.15 2025/07/11 23:26:59 djm Exp $
+#	$OpenBSD: cfgmatch.sh,v 1.16 2025/12/19 00:48:47 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd_config match"
@@ -160,3 +160,13 @@ EOD
 		fi
 	done
 done
+
+# Ensure that invalid subsystems are detected at startup
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Match host blah
+	Subsystem invalid
+_EOF
+$SSHD -tf $OBJ/sshd_proxy 2>/dev/null && \
+	fail "sshd_config accepted invalid subsystem"
+