Statements such as: Match User !root ForceCommand /bin/rshell or: Match Group !root ForceCommand /bin/rshell Will not work, due to (in my read) servconf.c # } else if (ga_match_pattern_list(grps) != 1) { and # if (match_pattern_list(user, arg, len, 0) != 1) Both functions on an affirmatively negated match will return -1 (rather than 1, but still non zero), thus never being considered a "match" by either user or group negation processing. In fact, for users, I'm not certain the processing will ever be correct for negation in any sane deploy (Match user steve !steve)?, though for groups it could make sense to return differing results based on the intersection of group1 & !group2 Since there is not a "ForceCommand no", and ForceCommand /bin/bash is not the same as login (obv.), I'm left at a bit of a puzzle to handle this one. Or I could be misreading all this code, or its already fixed elsewhere and I missed it. But I think its a bug anyhow...
ahh, an undocumented, but logical workaround: If you force a positive match, it will work: Match user *,!root Perhaps just a fix in the manpages would suffice to save someone else hours on this one :-)
2014 April. OpenBSD current. Still true. Man page still lacking details. I was 10 minutes from filing this as a new bug, I'll just bump this one. Match User "!carl" # not valid. Match User "*,!carl" # works just fine.
*** This bug has been marked as a duplicate of bug 1918 ***
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1