sshd with multiple match sections, override settings

configuration ssh sshd
gurubert picture gurubert · May 31, 2012 · Viewed 19k times · Source

I have the situation where sshd should permit sftp only access to a group of users.

This is easily done by adding a match section like

Match Group groupname
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Now I need to exclude one user that is a member of this group. He should have normal shell access.

Match User username
    ChrootDirectory ???
    ForceCommand ???

What do I set here? Is it possible to unset configuration directives previuosly set with another matching section?

Answer

dave4420 picture dave4420 · May 31, 2012

Don't add a Match User section. Instead, exclude the user by excluding him from the original match.

Match Group groupname User !username
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

All criteria on the Match line must be satisfied for the section to be applied.

I am unsure of the exact syntax. You may need quotes.

Match Group groupname User "!username"
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Related questions

Gitlab with non-standard SSH port (on VM with Iptable forwarding)

My gitlab is on a virtual machine on a host server. I reach the VM with a non-standard SSH port (i.e. 766) which an iptable rule then forward from host:766 to vm:22. So when I create a new repo, the …

Read More
SSH compression for X11 forwarding

I’m on the East coast of the United States, SSHing into a server on the West coast. I’ve managed to get X11 forwarding working so I can launch GUI apps for certain tasks where it’s helpful. However, …

Read More
Error message "Forbidden You don't have permission to access / on this server"

I have configured my Apache by myself and have tried to load phpMyAdmin on a virtual host, but I received: 403 Forbidden You don't have permission to access / on this server My httpd.conf # # This is the main Apache HTTP server …

Read More