Match directive and negations

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,
I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.

What I tried first was
     Match User !root, Group !mygroup
which to my momentary surprise did not work.

After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.

So a
   Match User *,!root, Group *,!mygroup
worked for my case.

I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.

Sven
--- ssh_config.5.orig	Tue Jul 29 15:18:33 2014
+++ ssh_config.5	Tue Jul 29 17:59:21 2014
@@ -1469,6 +1469,25 @@
 the following entry (in authorized_keys) could be used:
 .Pp
 .Dl from=\&"!*.dialup.example.com,*.example.com\&"
+.Pp
+If you use negations please keep in mind that you've to
+make sure that the set you operate on is not empty.
+Otherwise the intended match will be applied to an empty
+set which will never match.
+.Pp
+For example
+.Pp
+.Dl Match Group *,!mygroup, User *,!root
+.Pp
+will match everyone except the members of
+.Dq mygroup
+and the
+.Dq root
+user, while omitting the
+.Sq *
+wildcard
+.Pq Match Group !mygroup, User !root
+will never match.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux