How can the Address condition in a Match conditional block in sshd_config be negated?

Question

I would like to force users into a specific command when they log in from outside my LAN via SSH to my LAN. My idea was, to use ForceCommand in a Match conditional block, that matches all addresses except for the ones in my LAN.

I have tried the following, according to man 5 sshd_config:

Match Address !192.168.1.0/24 allowed users from anywhere to execute any command.
Match Address !192.168.* allowed users from anywhere to execute any command.
Match !Address 192.168.* prevented execution of any command by means of sshd refusing to start.

Negating a pattern using ! is described in man 5 ssh_config (Section "Patterns"). How can this be applied to addresses?

score 13 · Accepted Answer · edited Apr 13 '17 at 12:14

13

According to this ServerFault answer, for some unknown reason, you need to add a wildcard match in order to do this. CIDR notation does however seem to work. For example:

Match Address *,!192.168.1.0/24
    ForceCommand /bin/false

This works for me with OpenSSH 5.9p1.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 17 '12 at 06:27

mgorven

30,036
7
76
121

How can the Address condition in a Match conditional block in sshd_config be negated?

1 Answers1

Linked