How to exclude from a "Match Group" in SSHD?
The Match
operator can take multiple arguments, allowing very flexible rules. In this case, you could do something like this to achieve what you want.
Match Group FOOGROUP User !username
ForceCommand /bin/customshell
The !
negates the argument passed to the User
criterion, so even if the user username
is in the group FOOGROUP
, the Match
will not be successful, and username
will not be given the custom shell upon logging in.
You need to use multiple clauses in your config file entry but in a very specific way. There is a bug in some setups that cause the generally recommended, and simplest, syntax ( "Match Group FOOGROUP User !username" ) to either cause everyone else in the group to fail to Match or lets them escape their chroot jail.
On Debian Jessie using OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.2d I get the result that everyone else in the group can no longer connect. Others report jail breaks. In both cases a syntax of
Match Group FOOGROUP User *,!username
seems to work without side-effects. Some sort of bug in the parser no doubt.
with below option i can jail the sftp user within specified directory and also specified user able to login thru ssh.
Match Group groupname User *,!username
Thanks.