[Bug 1646] Match directive does not override default settings

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Sep 3 19:24:14 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1646



--- Comment #4 from David Alves <alves at montecristogames.com> 2009-09-03 19:24:13 EST ---
(In reply to comment #3)
> (In reply to comment #2)
> > If you are trying to refuse all access except to some subset of users,
> > I suggest that you disable all authentication methods on the main
> > config and then turn them back on for your allowed users in a Match
> > block.
> 
> I'd like to add something like "Allow yes" or similar that simply sets
> authctxt->valid at the start of the auth process.  This would play nice
> with Match.  You could do:
> 
> Allow no
> Match User fred
>   Allow yes

Exactly, because we are managing users with ldap (pam_ldap) we can't
statilly define them in sshd_config since users are changing very
frequently. 

So it would be great if when a user is present in the  deny list is
matched by the Directive Match, to implicitly override DenyUsers for
this particular case and then perform actions like ForceCommand. 

It take sense since we have a block with many conditions to be
satisfied and we can retrict the Match block to a user with a host etc
etc , and deny other cases .

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list