Disabling ForceCommand in a Match block

Knox, Bill wknox at mitre.org
Thu May 17 17:50:02 EST 2007 

My reading of the Match conditional block was the criteria had to go
first, followed by the pattern. Therefore, I tried

Match Group !other
	ForceCommand echo "Test"

and it doesn't seem to work. In digging a bit deeper, it seems that the
Match conditional works a bit differently when it is dealing with the
Group keyword versus others (I assume because one can belong to many
groups and only have one User, Host and Address). They all call
match_cfg_line to check for a match, which in the case of the other
three calls match_pattern_list (in the case of Address, via
match_hostname), which allows negation and calls match_pattern. Groups,
however, calls match_cfg_line_group, which calls ga_match, which calls
match_pattern directly and doesn't use match_pattern_list. Therefore,
negation won't work for Groups, though it will for the User, Host and
Address criteria (the same is true for comma separated values for the
same reason). I've tested this, and it works with the following setup:

Match User *,!root
	ForceCommand echo "Test"

This makes sense in some scenarios, as patterns, negation and groups
don't mix well in the sense of testing all of the groups to which you
belong (one of the groups to which you belong will likely not match the
pattern in question). However, the case in question is a simpler one,
and I can see where it may be useful to examine negative group
membership.

Perhaps ga_match can be modified to work like match_pattern_list to
recognize negation on its own, or perhaps it could call
match_pattern_list instead of match_pattern directly and cause it to
trip the first time it gets a negative match (that is, the first time a
negative group is passed and the User doesn't belong).

I have written a brief patch to implement this. I haven't tested what
happens with the AllowGroups and DenyGroups cases, but it will work in
to force a command for everyone not in the other group as follows:

Match Group *,!other
	ForceCommand echo "Test"

I have opened up a bugzilla case with a enhancement request and the
patch as well (ID 1315).

                  Bill Knox
                  Lead Operating Systems Programmer/Analyst
                  The MITRE Corporation

-----Original Message-----
From: openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org
[mailto:openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org] On Behalf
Of Remy Blank
Sent: Wednesday, May 16, 2007 11:43 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: Disabling ForceCommand in a Match block

Iain Morgan wrote:
> It would be more in keeping with the general syntax of the ssh_config

> (and the preferrence of keeping the number of options to a minimum)
> to have ForcedCommand accept the special keyword 'none'.

This would prevent being able to call the command 'none'. I guess
that's ok.

>> Is there a better way to do this? Possibly without patching openssh?
> 
> I have to admit, I haven't played around with the Match keyword much.
> If it accepted negation (I don't recall if it does), you could do
> something like:
> 
> Match ! Group wheel
> 	ForceCommand /usr/bin/validate-ssh-command

Yes, that would be nice. Unfortunately, it doesn't work (I just tried
it).

-- Remy

More information about the openssh-unix-dev mailing list