Match directive and negations
Sven Hoexter
sven at timegate.de
Wed Jul 30 02:14:05 EST 2014
Hi,
I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.
What I tried first was
Match User !root, Group !mygroup
which to my momentary surprise did not work.
After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.
So a
Match User *,!root, Group *,!mygroup
worked for my case.
I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.
Sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh_config.5_negations.diff
Type: text/x-diff
Size: 726 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140729/62900cd7/attachment.bin>
More information about the openssh-unix-dev
mailing list