Bug#629853: openssh-server: sshd_config 'Match' specification's arguments are not terminated by beginning of next 'Match' block

[Ronald <ronald@mail.rmacd.com>]

Package: openssh-server
Version: 1:5.1p1-5
Severity: normal

It does not seem as if, when specifying multiple 'Match' blocks, the block's
arguments are terminated at the beginning of the next 'Match' block.

In the below example, I have one group of users who are permitted only access
to the Squid proxy server and one group of users who are permitted access to
all forwards (so as to be able to connect to other services only running 
locally on server):

in /etc/sshd_config:

# Default settings for any ssh users
X11Forwarding no
AllowTcpForwarding no

# Settings for users matching those permitted to use TCP Forwarding
Match Group AllowTCPForward
    AllowTCPForwarding yes
    X11Forwarding yes

# Match only those who are permitted to use Squid
Match Group AllowSquidProxy
    AllowTCPForwarding yes
    X11Forwarding no
    PermitOpen 127.0.0.1:3128

Following the above configuration settings restricts port forwarding as
intended, but does not restrict X11Forwarding as it should. 'AllowSquidProxy'
users ARE ALLOWED to use X11Forwarding.

Additionally, as an 'experiment', specifying differing 'Banner' options does
not result in the intended banners displaying upon users from differing groups
attempting to log in.

-- System Information:
Debian Release: 5.0.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.31                  Debian package management system
ii  libc6           2.7-18lenny7             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny6 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny11        SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen: