Hi,
I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.
What I tried first was
Match User !root, Group !mygroup
which to my momentary surprise did not work.
After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.
So a
Match User *,!root, Group *,!mygroup
worked for my case.
I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.
Sven
--- ssh_config.5.orig Tue Jul 29 15:18:33 2014
+++ ssh_config.5 Tue Jul 29 17:59:21 2014
@@ -1469,6 +1469,25 @@
the following entry (in authorized_keys) could be used:
.Pp
.Dl from=\&"!*.dialup.example.com,*.example.com\&"
+.Pp
+If you use negations please keep in mind that you've to
+make sure that the set you operate on is not empty.
+Otherwise the intended match will be applied to an empty
+set which will never match.
+.Pp
+For example
+.Pp
+.Dl Match Group *,!mygroup, User *,!root
+.Pp
+will match everyone except the members of
+.Dq mygroup
+and the
+.Dq root
+user, while omitting the
+.Sq *
+wildcard
+.Pq Match Group !mygroup, User !root
+will never match.
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/config
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
