--- /dev/null
+# $OpenBSD: match-subsystem.sh,v 1.1 2023/09/06 23:36:09 djm Exp $
+# Placed in the Public Domain.
+
+tid="sshd_config match subsystem"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+try_subsystem() {
+ _id=$1
+ _subsystem=$2
+ _expect=$3
+ ${SSHD} -tf $OBJ/sshd_proxy || fatal "$_id: bad config"
+ ${SSH} -sF $OBJ/ssh_proxy somehost $_subsystem
+ _exit=$?
+ trace "$_id subsystem $_subsystem"
+ if [ $_exit -ne $_expect ] ; then
+ fail "$_id: subsystem $_subsystem exit $_exit expected $_expect"
+ fi
+ return $?
+}
+
+# Simple case: subsystem in main config.
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Subsystem xxx /bin/sh -c "exit 23"
+_EOF
+try_subsystem "main config" xxx 23
+
+# No clobber in main config.
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Subsystem xxx /bin/sh -c "exit 23"
+Subsystem xxx /bin/sh -c "exit 24"
+_EOF
+try_subsystem "main config no clobber" xxx 23
+
+# Subsystem in match all block
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Match all
+Subsystem xxx /bin/sh -c "exit 21"
+_EOF
+try_subsystem "match all" xxx 21
+
+# No clobber in match all block
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Match all
+Subsystem xxx /bin/sh -c "exit 21"
+Subsystem xxx /bin/sh -c "exit 24"
+_EOF
+try_subsystem "match all no clobber" xxx 21
+
+# Subsystem in match user block
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Match user *
+Subsystem xxx /bin/sh -c "exit 20"
+_EOF
+try_subsystem "match user" xxx 20
+
+# No clobber in match user block
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Match user *
+Subsystem xxx /bin/sh -c "exit 20"
+Subsystem xxx /bin/sh -c "exit 24"
+Match all
+Subsystem xxx /bin/sh -c "exit 24"
+_EOF
+try_subsystem "match user no clobber" xxx 20
+
+# Override main with match all
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Subsystem xxx /bin/sh -c "exit 23"
+Match all
+Subsystem xxx /bin/sh -c "exit 19"
+_EOF
+try_subsystem "match all override" xxx 19
+
+# Override main with match user
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >> $OBJ/sshd_proxy << _EOF
+Subsystem xxx /bin/sh -c "exit 23"
+Match user *
+Subsystem xxx /bin/sh -c "exit 18"
+_EOF
+try_subsystem "match user override" xxx 18
+