How to exclude from a "Match Group" in SSHD?

The Match operator can take multiple arguments, allowing very flexible rules. In this case, you could do something like this to achieve what you want.

Match Group FOOGROUP User !username
  ForceCommand /bin/customshell

The ! negates the argument passed to the User criterion, so even if the user username is in the group FOOGROUP, the Match will not be successful, and username will not be given the custom shell upon logging in.


You need to use multiple clauses in your config file entry but in a very specific way. There is a bug in some setups that cause the generally recommended, and simplest, syntax ( "Match Group FOOGROUP User !username" ) to either cause everyone else in the group to fail to Match or lets them escape their chroot jail.

On Debian Jessie using OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.2d I get the result that everyone else in the group can no longer connect. Others report jail breaks. In both cases a syntax of

Match Group FOOGROUP User *,!username

seems to work without side-effects. Some sort of bug in the parser no doubt.


with below option i can jail the sftp user within specified directory and also specified user able to login thru ssh.

Match Group groupname User *,!username

Thanks.

Tags:

Openssh

Sshd