| Summary: | Clarification for the usage of Match directives with negations | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Sven <sven> | ||||
| Component: | Documentation | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | NEW --- | ||||||
| Severity: | enhancement | CC: | ivan.2019.ifv | ||||
| Priority: | P5 | ||||||
| Version: | 6.6p1 | ||||||
| Hardware: | Other | ||||||
| OS: | All | ||||||
| See Also: |
https://bugzilla.mindrot.org/show_bug.cgi?id=1680 https://bugzilla.mindrot.org/show_bug.cgi?id=1918 |
||||||
| Attachments: |
|
||||||
Created attachment 2460 [details] proposed clarification for the usage of negations with Match Hi, I tried to setup some special cases with the help of the "Match" directive in sshd_config and stumbled over how negations in the pattern matching work. What I tried first was Match User !root, Group !mygroup which to my momentary surprise did not work. After carefully re-reading the manpage, and some try and error I've understood that the logic is based on set theory and I tried to essentially exclude user/groups from an empty set, which of course has no result and thus can not match anything. So a Match User *,!root, Group *,!mygroup worked for my case. I guess it's intentional that there is no kind of default filling of the set you match on, so I would propose a patch to the ssh_config.5 manpage to make it a bit more obvious. I also posted that to the mailinglist some time ago but there was no concrete feedback. So I'm just filling this bug so that the patch proposal won't be lost unnoticed.