sshd multiple match criteria

replabrobin · 2011-07-02 08:37:35

I'm trying to set up an sftp chrooted group using match. I have created the special group and
find that this match group works fine

Subsystem sftp internal-sftp
Match Group sftp
ForceCommand internal-sftp
ChrootDirectory /sftp-home/%u
X11Forwarding no
AllowTcpForwarding no

Now I want to add an admin to the group, but not have him restricted to internal-sftp. I tried this

Match Group sftp User !adminguy

but although no syntax error is raised this appears just to stop the sftp group from being chrooted.
They can use sftp and can ls / without any problems. They don't appear able to use a standard login,
but that's because they have /bin/false as a shell so cannot log in anyway. I assume that's because the
Match is failing ie I have the wrong syntax. I tried a couple of things eg "!adminguy" in the User pattern,
but no success.

Is there a way to allow adminguy to be a menber of this group and keep ordinary ssh login?

Spider.007 · 2011-07-03 09:44:26

From the man-page:

Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file,
until either another Match line or the end of the file.
The arguments to Match are one or more criteria-pattern pairs.
The available criteria are User, Group, Host, and Address. The
match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described
in the PATTERNS section of ssh_config(5).

So probably you should use:

Match Group sftp, User !adminguy

Also, to debug the parsing of your configfile I would try sshd -d, which puts the server in debug mode and give you an idea of what is happening

Last edited by Spider.007 (2011-07-03 09:44:45)

replabrobin · 2011-07-03 10:36:11

Spider.007 wrote:

So probably you should use:
Match Group sftp, User !adminguy

I tried this, but it didn't work. I saw no syntax message and the sftp group connected with sftp, but no chroot.

I took the manual to imply that the patterns could contain commas not that commas could separate the criteria pattern pairs.

I did use the debug output and see these differences (I ignored trivial things like process ids etc etc).

Match Group sftp, User !adminguy

.......
debug1: user sftpuser matched group list sftp, at line 81
.......
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1006/1003
.......
debug1: subsystem: exec() internal-sftp

Match Group sftp

.......
debug1: user sftpuser matched group list sftp at line 81
......
debug1: PAM: establishing credentials
Changed root directory to "/sftp-home/sftpuser"
debug1: permanently_set_uid: 1006/1003
.......
debug1: subsystem: exec() internal-sftp
debug1: Forced command (config) 'internal-sftp'

so it seems the , is taken as part of the Group pattern, but I see no mention of the User criterion.

replabrobin · 2011-07-06 09:16:38

Turns out there's a workaround for a bug in the pattern matching ie

Match Group sftp, User *,!adminguy

works for me as expected.

Arch Linux

#1 2011-07-02 08:37:35

sshd multiple match criteria

#2 2011-07-03 09:44:26

Re: sshd multiple match criteria

#3 2011-07-03 10:36:11

Re: sshd multiple match criteria

#4 2011-07-06 09:16:38

Re: sshd multiple match criteria

Board footer