FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-30-2012, 03:51 PM
Camaleón
 
Default sshd_config match keyword syntax

On Thu, 30 Aug 2012 14:37:34 +0100, Roger Lynn wrote:

> I want to force everyone except members of a particular group to run
> sftp when they ssh into a server. So at the end of /etc/ssh/sshd_config
> I have:
>
> Match Group !sshers
> ForceCommand /usr/lib/openssh/sftp-server
>
> However I can't get the group negation to work. If I remove the '!' it
> works as expected, in that members of sshers are forced to run sftp.
> With the '!' the condition is never met, no one is forced to run sftp
> and the whole stanza appears to do nothing.
>
> The documentation on the Match keyword is not very helpful, but it
> appears that the above should be allowed. What am I doing wrong? Is it a
> bug?

(...)

Agree, it could have been better docummented as Oracle did by adding some
practical samples for their SunOS package:

***
http://docs.oracle.com/cd/E19082-01/819-2251/6n4i7tddd/index.html

Displaying a special banner for users not in the staff group:

Match Group *,!staff
Banner /etc/banner.text
***

Check if that also works for you.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k1o265$pns$9@ger.gmane.org
 
Old 09-03-2012, 09:45 PM
Roger Lynn
 
Default sshd_config match keyword syntax

On 30/08/12 16:20, Brian wrote:
> On Thu 30 Aug 2012 at 14:37:34 +0100, Roger Lynn wrote:
>> I want to force everyone except members of a particular group to run sftp
>> when they ssh into a server. So at the end of /etc/ssh/sshd_config I have:
>>
>> Match Group !sshers
>> ForceCommand /usr/lib/openssh/sftp-server
>>
>> However I can't get the group negation to work. If I remove the '!' it works
>> as expected, in that members of sshers are forced to run sftp. With the '!'
>> the condition is never met, no one is forced to run sftp and the whole
>> stanza appears to do nothing.
>>
>> The documentation on the Match keyword is not very helpful, but it appears
>> that the above should be allowed. What am I doing wrong? Is it a bug?
>
> Two questions. I'll go for the first one. First read the PATTERNS section
> of ssh_config(5). Then think about
>
> Match Group *
>
> and
>
> Match Group *,!sshers

Thank you to Camaleón and to you, this line works.

I did read the PATTERNS section, but it didn't help very much. Although it's
not explicitly stated I infer that the comma operates as a logical 'and'.
What is not clear is exactly what the Group criterion matches or how the
negation operator works.

If "Group sshers" matches all members of the 'sshers' group then I would
assume that "Group !sshers" would match all users who are not in that group.
However that seems not to be the case. It appears that it actually means
something like "don't match members of the sshers group", which means you
need the counter-intuitive "*," in front of it to get the expected effect.
This is not stated anywhere.

I find the logic strange and difficult to follow but the documentation is
just awful.

Thanks again,

Roger


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: f1lfh9-ecd.ln1@silverstone.rilynn.me.uk">http://lists.debian.org/f1lfh9-ecd.ln1@silverstone.rilynn.me.uk
 

Thread Tools




All times are GMT. The time now is 09:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org