help with negative patterns in Match

Damien Miller djm at
Tue Feb 24 10:15:01 AEDT 2015

On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote:

> Hey.
> Perhaps someone can help me with the following (OpenSSH 6.7):
> I have a host reachable via miscellaneous interfaces (and network
> addresses) running SSH.
> Some specific users should be only reachable from the inside, so e.g.
> though something like this would do the job in sshd_config:
> #general config
> #...
> Match User foo LocalAddress,fe80:abba::0
>         PasswordAuthentication          no
>         KbdInteractiveAuthentication    no
>         RhostsRSAAuthentication         no
>         HostbasedAuthentication         no
>         KerberosAuthentication          no
>         GSSAPIAuthentication            no
>         RSAAuthentication               no
>         PubkeyAuthentication            yes
> Match User foo LocalAddress !,!fe80:abba::0

with HEAD you can do:

Match user foo !localaddress

otherwise you need to have at least one matching term in the predicate, e.g.

Match User foo LocalAddress *,!,!fe80:abba::0

> But apparently it never goes into the negative matching block :-(
> Also, it seems that hostnames can generally not be used with
> LocalAddress,.. is this expected? Cause that would be kinda nice.

Yes, it's expected - we don't do DNS lookups there. I don't think we
want to either.


More information about the openssh-unix-dev mailing list