Hide Forgot
Double negation is not working as advertised in the Match stanza of sshd_config Disable login for non-admins from non-corporate (Example Ltd) network # cat /etc/ssh/sshd_config Match Group !admin Host !*.example.com MaxSessions 0 eviluser is not member of admins: # id eviluser | grep admin uid=1510(eviluser) gid=1500(evil) groups=2000(othergroup) # sshd -T -C user=eviluser,host=server.evilsite.com,addr=10.0.0.1 | grep -i maxsess maxsessions 10 Description of problem: Double negation is not working as advertised in the Match stanza of sshd_config Disable non-admin login from non-corporate (Example Ltd) network # cat /etc/ssh/sshd_config Match Group !admin Host !*.example.com MaxSessions 0 eviluser is not member of admins: # id eviluser | grep admin uid=1510(eviluser) gid=1500(evil) groups=2000(othergroup) # sshd -T -C user=eviluser,host=server.evilsite.com,addr=10.0.0.1 | grep -i maxsess maxsessions 10 Version-Release number of selected component (if applicable): openssh-5.3p1-52.el6_1.2.i686 openssh-clients-5.3p1-52.el6_1.2.i686 openssh-server-5.3p1-52.el6_1.2.i686 How reproducible: If negation is not used, it just works: Match Group test Host *.example.com MaxSessions 0 # usermod -a -G test eviluser # id eviluser | grep admin uid=1510(eviluser) gid=1500(evil) groups=2000(othergroup),2018(admin) # sshd -T -C user=eviluser,host=server.example.com,addr=10.0.0.1 | grep -i maxsess maxsessions 0 Steps to Reproduce: 1. Configure sshd_config 2. Test configuration file like above Actual results: Rules are not working as expected. Expected results: Excerpt from man sshd_config: "If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file"
So it seems that if negation is used, only the first criteria is used by the openssh daemon.
Sorry, the first few lines are duplicated in the original description. Please omit everything before the "Description of problem:" line.
Additional info: "eviluser" is a user from OpenLDAP, but the "admins" group belongs the the local server.
Additional info: "eviluser" is a user from OpenLDAP, but the "admins" group belongs to the local server.
verified
there is in configuration of the Match command mentioned ! only once : A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (‘!’). For example, to allow a key to be used from anywhere within an organisation except from the “dialup” pool, the following entry (in authorized_keys) could be used: from="!*.dialup.example.com,*.example.com" There is not generic negation support in the match command.
(In reply to comment #7) > there is in configuration of the Match command mentioned ! only once : > A pattern-list is a comma-separated list of patterns. Patterns within > pattern-lists may be negated by preceding them with an exclamation mark (‘!’). > For example, to allow a key to be used from anywhere within an organisation > except from the “dialup” pool, the following entry (in authorized_keys) could > be used: > from="!*.dialup.example.com,*.example.com" > There is not generic negation support in the match command. The man page might be slightly misleading. The following configuration settings work as expected, though: Match User "!username,*" MaxSessions 0 # sshd -T -C user=username,host=client.example.com,addr=10.0.0.1 |grep maxsess maxsessions 10 # sshd -T -C user=otheruser,host=client.example.com,addr=10.0.0.1 |grep maxsess maxsessions 0 # sshd -T -C user=otheruser2,host=client.example.com,addr=10.0.0.1 |grep maxsess maxsessions 0
Excerpts from the OpenSSH 5.1 Changelog: http://www.openssh.org/txt/release-5.1 * sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks, with a fallback to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes * "Match group" blocks in sshd_config(5) now support negation of groups. E.g. "Match group staff,!guests" (bz#1315)
you have omitted trailng ,* in your config try: Match Group !admin,* Host !*.example.com,* MaxSessions 0
(In reply to comment #10) > you have omitted trailng ,* in your config > try: > Match Group !admin,* Host !*.example.com,* > MaxSessions 0 Thank you for your help, it seems to work now as expected. I reckon the manual page could be more detailed on the matter. On a related note, the Match criterias are not working between quotation marks. It is not a bug but it is nice to know: Match Group "!admin,*" Host "!*.example.com,*" <= erroneous config
thanks for the report closing as not a bug