Using negation in "Match" conditional blocks in sshd_config

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6

Issue

OpenSSH in Red Hat Enterprise Linux 6 allows the use of conditional blocks in the sshd_config configuration file. If the initiated connection criteria match the expression of the Match conditional block, then the configuration options in that block would apply.
How to use negation in Match expressions?

Resolution

To use negation in Match conditional blocks, the expression needs to be preceded by a *. For instance, given the following section in the bottom of sshd_config:

Match Group *,!admin Address 192.168.1.1
  ForceCommand /bin/false

This would deny connections from 192.168.1.1 to anyone who is not in the admin group. The connection denial is achieved using the ForceCommand statement which instructs the sshd server to run a dummy command (/bin/false) and exit immediately.

Root Cause

The cause of this non-intuitive behaviour is dependent on the implementation of negation in OpenSSH.
Ref. https://bugzilla.mindrot.org/show_bug.cgi?id=1315

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.