[Bug 2262] New: Clarification for the usage of Match directives with negations

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 15 23:10:51 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2262

            Bug ID: 2262
           Summary: Clarification for the usage of Match directives with
                    negations
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sven at timegate.de

Created attachment 2460
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2460&action=edit
proposed clarification for the usage of negations with Match

Hi,
I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.

What I tried first was
     Match User !root, Group !mygroup
which to my momentary surprise did not work.

After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.

So a
   Match User *,!root, Group *,!mygroup
worked for my case.

I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.

I also posted that to the mailinglist some time ago but there was
no concrete feedback. So I'm just filling this bug so that the patch
proposal won't be lost unnoticed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list