First, note that command=
does not invoke a SSH subsystem. It merely runs the command as if it were given on the SSH client's command line; e.g.
ssh yourhost "svnserve -t --tunnel-user=alice" ssh yourhost "git upload-pack /pub/git/myproject.git" ssh yourhost "ls -la"
The above examples should make it clearer that communication with svnserve
or git
or ls
happens over the same stdio (stdin/stdout/stderr) as any other SSH interaction. For SVN and Git, the ssh
client merely serves as a tool to invoke commands remotely.
"Real" subsystems, as configured using the Subsystem
option in sshd_config
, aren't that much different. The only major difference is that they can be invoked by a static, well-known name, instead of relying on the remote login shell (bash, zsh, &c) to find the correct executable. For example, the SFTP server can be /usr/lib/ssh/sftp-server
in one machine, MULTINET_COMMON_ROOT:[MULTINET]SFTP-SERVER2.EXE
in another, built into sshd
in third (Subsystem sftp internal-sftp), but in all cases clients can still find it using the name sftp
.
At least in OpenSSH, subsystems can be written just like normal programs that communicate with the client via stdin/stdout/stderr. It seems that passing arbitrary command-line arguments is not allowed, however, so you cannot just configure a single svnserve
subsystem for all users.