Hide Forgot
Description of problem: While trying to setup chrooted ssh for certain users i found out that (at least) the Address Match parameter will ignore negated patterns (!192.168.0.0/32) If you use: Match User sshtest Address 192.168.0.1/32 ForceCommand /sbin/nologin It will work (only users logging in from 192.168.0.1 will get kicked off but if you attempt to negate the address pattern Match User sshtest Address !192.168.0.1/32 ForceCommand /sbin/nologin It will not work Version-Release number of selected component (if applicable): openssh-server-5.3p1-52.el6_1.2.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup ssh with the configuration shown above using a negated address pattern 2. Attempt to connect 3. Check results. Actual results: Rule should match as described in the sshd_config manpage. " The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5)." Expected results: The negated pattern takes effect Additional info:
"A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark(‘!’)." So you can negate only listed patterns, correct setting is: Match User sshtest Address !192.168.0.1/32,* ForceCommand /sbin/nologin