SUSE Support

Here When You Need Us

Certain "Match" syntax not accepted in sshd_config after update to SLES 11 SP4

This document (7017637) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)

Situation

The file /etc/ssh/sshd_config has been set up with "Match" blocks, in this format:
 
Match User user1
     parameter1
     parameter2
Match
 
Match User user2
     parameter1
     parameter2
Match
 
This has never been considered correct syntax, but was being accepted without error in SLES 11 SP3 (and earlier).  After updating to SLES 11 SP4, sshd will not successfully launch, and gives the error:
 
/etc/ssh/sshd_config line xx: Bad Match condition

Resolution

Remove the lines which say "Match" but which contain no other match conditions.  The correct syntax for Match blocks has always been in the format:
 
Match User user1
     parameter1
     parameter2
 
Match User user2
     parameter1
     parameter2

Cause

Changes to the openssh code by the Linux community were made to clarify and tighten the Match block usage.  SLES 11 SP3 contained openssh 6.2p1, whereas SP4 provides openssh 6.6p1, which contains this change.
 
The use of the incorrect syntax generally has come from two potential misunderstandings about match blocks:
 
1.  The false idea that it is necessary to close a match block with a line containing the word "Match" by itself.
2.  The false idea that using the word "Match" by itself was equal to the concept of "Match All".
 
Neither of these ideas were intended when the match block code was originally designed.  However, by coincidence and/or by lack of errors, some have believed match blocks worked this way.
 
Once a match block starts, all parameters that follow it are part of that match block, until another match block is initiated, or until the file ends. "Closing" a match block is not necessary.  Beginning a new block (or ending the file) is automatically considered the end of the previous match block.
 
It may be helpful to note that the recommended best practice is for all "global" settings (settings intended to apply to everyone) should occur before any match blocks begin. This author knows of no technical or functional reasons that it should be necessary to put any global settings *after* any match blocks. If this best practice were followed, there would never be a need for a "Match All" block.  However, if by some personal preference that were desired, it could be accomplished with a final Match block in the format:
 
Match All
     parameter3
     parameter4

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017637
  • Creation Date: 23-May-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center