Disabling ForceCommand in a Match block

Knox, Bill wknox at mitre.org
Fri May 18 00:22:43 EST 2007


At this point, put any testing that you do into the bug (#1315) on the
Bugzilla site - other than that, I guess it's up to the developers to
either

1) include it
2) spot the idiotic oversight in my implementation, modify it and then
include it
3) spot the idiotic oversight in my logic and refuse it

I'm not taking any bets :-)

Thanks, by the way, for the positive feedback.

                  Bill Knox
                  Lead Operating Systems Programmer/Analyst
                  The MITRE Corporation

-----Original Message-----
From: openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org
[mailto:openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org] On Behalf
Of Remy Blank
Sent: Thursday, May 17, 2007 5:43 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: Disabling ForceCommand in a Match block

Knox, Bill wrote:
> Therefore,
> negation won't work for Groups, though it will for the User, Host and
> Address criteria (the same is true for comma separated values for the
> same reason). I've tested this, and it works with the following
setup:
> 
> Match User *,!root
> 	ForceCommand echo "Test"

This is brilliant! It solves my problem much better than my current
workaround:

Match User user1, user2, user3, ...
    ForceCommand /usr/bin/validate-command

(As this is a production machine, I didn't dare keep my patch before
getting at least some feedback from people more knowledgeable than I
am).

> I have written a brief patch to implement this. I haven't tested what
> happens with the AllowGroups and DenyGroups cases, but it will work
in
> to force a command for everyone not in the other group as follows:
> 
> Match Group *,!other
> 	ForceCommand echo "Test"

This would completely and elegantly solve my situation. Thanks for
taking the time to implement it. Do you need any testing at this point?

-- Remy



More information about the openssh-unix-dev mailing list