Hi, I tried to setup some special cases with the help of the "Match" directive in sshd_config and stumbled over how negations in the pattern matching work. What I tried first was Match User !root, Group !mygroup which to my momentary surprise did not work. After carefully re-reading the manpage, and some try and error I've understood that the logic is based on set theory and I tried to essentially exclude user/groups from an empty set, which of course has no result and thus can not match anything. So a Match User *,!root, Group *,!mygroup worked for my case. I guess it's intentional that there is no kind of default filling of the set you match on, so I would propose a patch to the ssh_config.5 manpage to make it a bit more obvious. Sven
--- ssh_config.5.orig Tue Jul 29 15:18:33 2014 +++ ssh_config.5 Tue Jul 29 17:59:21 2014 @@ -1469,6 +1469,25 @@ the following entry (in authorized_keys) could be used: .Pp .Dl from=\&"!*.dialup.example.com,*.example.com\&" +.Pp +If you use negations please keep in mind that you've to +make sure that the set you operate on is not empty. +Otherwise the intended match will be applied to an empty +set which will never match. +.Pp +For example +.Pp +.Dl Match Group *,!mygroup, User *,!root +.Pp +will match everyone except the members of +.Dq mygroup +and the +.Dq root +user, while omitting the +.Sq * +wildcard +.Pq Match Group !mygroup, User !root +will never match. .Sh FILES .Bl -tag -width Ds .It Pa ~/.ssh/config
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev