Re: help with negative patterns in Match

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote:

> Hey.
> 
> Perhaps someone can help me with the following (OpenSSH 6.7):
> 
> I have a host reachable via miscellaneous interfaces (and network
> addresses) running SSH.
> 
> Some specific users should be only reachable from the inside, so e.g.
> though something like this would do the job in sshd_config:
> 
> #general config
> #...
> 
> Match User foo LocalAddress 10.0.0.1,fe80:abba::0
>         PasswordAuthentication          no
>         KbdInteractiveAuthentication    no
>         RhostsRSAAuthentication         no
>         HostbasedAuthentication         no
>         KerberosAuthentication          no
>         GSSAPIAuthentication            no
>         RSAAuthentication               no
>         PubkeyAuthentication            yes
> 
> Match User foo LocalAddress !10.0.0.1,!fe80:abba::0

with HEAD you can do:

Match user foo !localaddress 10.0.0.1...

otherwise you need to have at least one matching term in the predicate, e.g.

Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0

> But apparently it never goes into the negative matching block :-(
> 
> Also, it seems that hostnames can generally not be used with
> LocalAddress,.. is this expected? Cause that would be kinda nice.

Yes, it's expected - we don't do DNS lookups there. I don't think we
want to either.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux