Re: sshd_config match keyword syntax
On 30/08/12 16:20, Brian wrote:
> On Thu 30 Aug 2012 at 14:37:34 +0100, Roger Lynn wrote:
>> I want to force everyone except members of a particular group to run sftp
>> when they ssh into a server. So at the end of /etc/ssh/sshd_config I have:
>>
>> Match Group !sshers
>> ForceCommand /usr/lib/openssh/sftp-server
>>
>> However I can't get the group negation to work. If I remove the '!' it works
>> as expected, in that members of sshers are forced to run sftp. With the '!'
>> the condition is never met, no one is forced to run sftp and the whole
>> stanza appears to do nothing.
>>
>> The documentation on the Match keyword is not very helpful, but it appears
>> that the above should be allowed. What am I doing wrong? Is it a bug?
>
> Two questions. I'll go for the first one. First read the PATTERNS section
> of ssh_config(5). Then think about
>
> Match Group *
>
> and
>
> Match Group *,!sshers
Thank you to Camaleón and to you, this line works.
I did read the PATTERNS section, but it didn't help very much. Although it's
not explicitly stated I infer that the comma operates as a logical 'and'.
What is not clear is exactly what the Group criterion matches or how the
negation operator works.
If "Group sshers" matches all members of the 'sshers' group then I would
assume that "Group !sshers" would match all users who are not in that group.
However that seems not to be the case. It appears that it actually means
something like "don't match members of the sshers group", which means you
need the counter-intuitive "*," in front of it to get the expected effect.
This is not stated anywhere.
I find the logic strange and difficult to follow but the documentation is
just awful.
Thanks again,
Roger
Reply to: