Bug 2262 - Clarification for the usage of Match directives with negations
Summary: Clarification for the usage of Match directives with negations
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 6.6p1
Hardware: Other All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-15 23:10 AEST by Sven
Modified: 2020-04-05 20:25 AEST (History)
1 user (show)

See Also:

Attachments
proposed clarification for the usage of negations with Match (726 bytes, patch)
2014-08-15 23:10 AEST, Sven 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven 2014-08-15 23:10:51 AEST 
Created attachment 2460 [details]
proposed clarification for the usage of negations with Match

Hi,
I tried to setup some special cases with the help of the "Match"
directive in sshd_config and stumbled over how negations in the
pattern matching work.

What I tried first was
     Match User !root, Group !mygroup
which to my momentary surprise did not work.

After carefully re-reading the manpage, and some try and error
I've understood that the logic is based on set theory and I
tried to essentially exclude user/groups from an empty set, which
of course has no result and thus can not match anything.

So a
   Match User *,!root, Group *,!mygroup
worked for my case.

I guess it's intentional that there is no kind of default
filling of the set you match on, so I would propose a patch
to the ssh_config.5 manpage to make it a bit more obvious.

I also posted that to the mailinglist some time ago but there was
no concrete feedback. So I'm just filling this bug so that the patch
proposal won't be lost unnoticed.