[Bug 2262] New: Clarification for the usage of Match directives with negations

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 15 23:10:51 EST 2014


            Bug ID: 2262
           Summary: Clarification for the usage of Match directives with
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sven at timegate.de

Created attachment 2460
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2460&action=edit
proposed clarification for the usage of negations with Match

I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.

What I tried first was
     Match User !root, Group !mygroup
which to my momentary surprise did not work.

After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.

So a
   Match User *,!root, Group *,!mygroup
worked for my case.

I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.

I also posted that to the mailinglist some time ago but there was
no concrete feedback. So I'm just filling this bug so that the patch
proposal won't be lost unnoticed.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list