DEVHIDE
Login Or Sign up

sshd with multiple match sections, override settings

33.4k Views Asked by At

I have the situation where sshd should permit sftp only access to a group of users.

This is easily done by adding a match section like

Match Group groupname
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Now I need to exclude one user that is a member of this group. He should have normal shell access.

Match User username
    ChrootDirectory ???
    ForceCommand ???

What do I set here? Is it possible to unset configuration directives previuosly set with another matching section?

configuration ssh sshd
Original Q&A
4

There are 4 best solutions below

3
On

Don't add an extra Match User section. Instead, exclude the user by excluding him from the original Match.

Match Group groupname User !username
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

All criteria on the Match line must be satisfied for the section to be applied.

As Nicolas Mommaerts discovered, there's a bug with negative-only patterns, and you may need to first include everyone with *:

Match Group groupname User *,!username
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp
0
On

What worked for me is putting the user rule first:

Match user lee
    ChrootDirectory /mnt/s3
    ForceCommand internal-sftp

Match group ftp
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
1
On 
Match Group groupname User *,!username
ChrootDirectory /srv/ftp
ForceCommand internal-sftp
1
On

First apply the settings to the group, excluding user "username;" then apply (other) settings to user "username." If you do not use the ForceCommand setting for user "username," it is not applied.

Match Group groupname User !username
   ChrootDirectory /srv/ftp
   ForceCommand internal-sftp
Match User username
   PasswordAuthentication yes

You can also use different settings if the user logs in from different IP addresses.

# all users except username1 and username2 default to sftp
Match User *,!username1,!username2
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -f LOCAL0 -l INFO

# normal ssh allowed for users username1 and username2 from the local network
Match User username1,username2 Address 192.168.0.0/16
    PasswordAuthentication yes

# users username1 and username2 not allowed from other networks
Match User username1,username2 Address *,!192.168.0.0/16
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /usr/sbin/nologin

Related Questions in CONFIGURATION

Related Questions in SSH

Related Questions in SSHD

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.