Using negation in "Match" conditional blocks in sshd_config

Solution Verified - Updated -


  • Red Hat Enterprise Linux 6


OpenSSH in Red Hat Enterprise Linux 6 allows the use of conditional blocks in the sshd_config configuration file. If the initiated connection criteria match the expression of the Match conditional block, then the configuration options in that block would apply.
How to use negation in Match expressions?


To use negation in Match conditional blocks, the expression needs to be preceded by a *. For instance, given the following section in the bottom of sshd_config:

Match Group *,!admin Address
  ForceCommand /bin/false

This would deny connections from to anyone who is not in the admin group. The connection denial is achieved using the ForceCommand statement which instructs the sshd server to run a dummy command (/bin/false) and exit immediately.

Root Cause

The cause of this non-intuitive behaviour is dependent on the implementation of negation in OpenSSH.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.