sshd with multiple match sections, override settings

Asked 31/5, 2012 at 8:11 Answered 3/7, 2023 at 15:34

I have the situation where sshd should permit sftp only access to a group of users.

This is easily done by adding a match section like

Match Group groupname
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Now I need to exclude one user that is a member of this group. He should have normal shell access.

Match User username
    ChrootDirectory ???
    ForceCommand ???

What do I set here? Is it possible to unset configuration directives previuosly set with another matching section?

Mantle answered 31/5, 2012 at 8:11 Comment(0)

First apply the settings to the group, excluding user "username;" then apply (other) settings to user "username." If you do not use the ForceCommand setting for user "username," it is not applied.

Match Group groupname User !username
   ChrootDirectory /srv/ftp
   ForceCommand internal-sftp
Match User username
   PasswordAuthentication yes

You can also use different settings if the user logs in from different IP addresses.

# all users except username1 and username2 default to sftp
Match User *,!username1,!username2
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -f LOCAL0 -l INFO

# normal ssh allowed for users username1 and username2 from the local network
Match User username1,username2 Address 192.168.0.0/16
    PasswordAuthentication yes

# users username1 and username2 not allowed from other networks
Match User username1,username2 Address *,!192.168.0.0/16
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /usr/sbin/nologin

Demise answered 17/3, 2016 at 22:15 Comment(1)

Your second example is exactly what I need, and -- therefore -- much appreciated. To group the "bad" users together, I introduced a group, e.g., badusers: Match Group badusers Address *,!192.168.0.0/16 PasswordAuthentication no – Fonseca 6/4, 2021 at 18:5

Don't add an extra Match User section. Instead, exclude the user by excluding him from the original Match.

Match Group groupname User !username
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

All criteria on the Match line must be satisfied for the section to be applied.

As Nicolas Mommaerts discovered, there's a bug with negative-only patterns, and you may need to first include everyone with *:

Match Group groupname User *,!username
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Gem answered 31/5, 2012 at 9:56 Comment(3)

For everyone else who stumbles upon this, I just couldn't get it to work until I read bbs.archlinux.org/viewtopic.php?id=121945. Turns out there is a bug in the pattern matching and you need to do "Match Group groupname, User *,!username", after I did that it worked immediately as expected. – Comportment 21/12, 2018 at 19:53

@NicolasMommaerts With SSH Config, the doc says "Criteria may be negated by prepending an exclamation mark (‘!’)." Can you do that with SSHD as well? Match Group foo !User bar baz – Provencal 8/4, 2019 at 16:24

^ SSHD Config says "yes" "The match patterns […] may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5)." – Provencal 31/10, 2023 at 14:0

What worked for me is putting the user rule first:

Match user lee
    ChrootDirectory /mnt/s3
    ForceCommand internal-sftp

Match group ftp
    ChrootDirectory /home/%u
    ForceCommand internal-sftp

Sidonius answered 24/2, 2021 at 14:48 Comment(0)

-1

Match Group groupname User *,!username
ChrootDirectory /srv/ftp
ForceCommand internal-sftp

Laynelayney answered 3/7, 2023 at 15:34 Comment(1)

Duplicate code from the oldest answer – Provencal 31/10, 2023 at 14:4

Recommended topics

Hot tags