Configurable restrictions

Darren Tucker dtucker at
Sat Jan 20 16:26:26 EST 2007

Jonathan Miles wrote:
> Today I modified OpenSSH so that it allows me to configure in a generic 
> way, restrictions on what server functions can be used by system users 
> after they authenticate. The partial implementation of my plans only 
> works for SSH2, but allows me to write entries like the following in 
> sshd_config:
>    ChannelReqDeny shell g restricted
>    ChannelReqDeny exec g restricted
>    ChannelReqDeny x11-req u *
> ... to deny access to those channel requests for group 'restricted'.
> Using my modified sftp-server, I can also write this:
>    Subsystem sftp /path/to/sftp-server
>    SetIf g restricted Subsystem sftp /path/to/sftp-server --chroot
> ... and anyone in the same group is jailed to the cwd, i.e. their home 
> directory.
> The above works fine, but I want to expand it further. Bearing in mind 
> that 2 days ago I'd never before looked at the SSH code or the RFCs, I 
> thought I'd get some feedback from people on this list.
> What do you think? Are these features useful for other people? Am I 
> taking the right approach?

You should have a look at the Match directive that's in 4.4 and up, 
which provides a general mechanism for matching users, groups, networks 
and hosts.  It works similarly to the Hosts directive in ssh_config. 
Your example above would be:

Match Group restricted
	ChannelReqDeny shell
	ChannelReqDeny exec

(and so on).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list