8

I would like to force users into a specific command when they log in from outside my LAN via SSH to my LAN. My idea was, to use ForceCommand in a Match conditional block, that matches all addresses except for the ones in my LAN.

I have tried the following, according to man 5 sshd_config:

  • Match Address !192.168.1.0/24 allowed users from anywhere to execute any command.
  • Match Address !192.168.* allowed users from anywhere to execute any command.
  • Match !Address 192.168.* prevented execution of any command by means of sshd refusing to start.

Negating a pattern using ! is described in man 5 ssh_config (Section "Patterns"). How can this be applied to addresses?

Oswald
  • 208
  • 1
  • 2
  • 6

1 Answers1

13

According to this ServerFault answer, for some unknown reason, you need to add a wildcard match in order to do this. CIDR notation does however seem to work. For example:

Match Address *,!192.168.1.0/24
    ForceCommand /bin/false

This works for me with OpenSSH 5.9p1.

mgorven
  • 30,036
  • 7
  • 76
  • 121