Disabling ForceCommand in a Match block
Remy Blank
remy.blank at pobox.com
Thu May 17 19:42:44 EST 2007
Knox, Bill wrote:
> Therefore,
> negation won't work for Groups, though it will for the User, Host and
> Address criteria (the same is true for comma separated values for the
> same reason). I've tested this, and it works with the following setup:
>
> Match User *,!root
> ForceCommand echo "Test"
This is brilliant! It solves my problem much better than my current
workaround:
Match User user1, user2, user3, ...
ForceCommand /usr/bin/validate-command
(As this is a production machine, I didn't dare keep my patch before
getting at least some feedback from people more knowledgeable than I am).
> I have written a brief patch to implement this. I haven't tested what
> happens with the AllowGroups and DenyGroups cases, but it will work in
> to force a command for everyone not in the other group as follows:
>
> Match Group *,!other
> ForceCommand echo "Test"
This would completely and elegantly solve my situation. Thanks for
taking the time to implement it. Do you need any testing at this point?
-- Remy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070517/e190e21b/attachment.bin
More information about the openssh-unix-dev
mailing list