help with negative patterns in Match
Damien Miller
djm at mindrot.org
Tue Feb 24 10:15:01 AEDT 2015
On Tue, 24 Feb 2015, Christoph Anton Mitterer wrote:
> Hey.
>
> Perhaps someone can help me with the following (OpenSSH 6.7):
>
> I have a host reachable via miscellaneous interfaces (and network
> addresses) running SSH.
>
> Some specific users should be only reachable from the inside, so e.g.
> though something like this would do the job in sshd_config:
>
> #general config
> #...
>
> Match User foo LocalAddress 10.0.0.1,fe80:abba::0
> PasswordAuthentication no
> KbdInteractiveAuthentication no
> RhostsRSAAuthentication no
> HostbasedAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication no
> RSAAuthentication no
> PubkeyAuthentication yes
>
> Match User foo LocalAddress !10.0.0.1,!fe80:abba::0
with HEAD you can do:
Match user foo !localaddress 10.0.0.1...
otherwise you need to have at least one matching term in the predicate, e.g.
Match User foo LocalAddress *,!10.0.0.1,!fe80:abba::0
> But apparently it never goes into the negative matching block :-(
>
> Also, it seems that hostnames can generally not be used with
> LocalAddress,.. is this expected? Cause that would be kinda nice.
Yes, it's expected - we don't do DNS lookups there. I don't think we
want to either.
-d
More information about the openssh-unix-dev
mailing list