There is a Match group in the SSHD config:
cat /etc/ssh/sshd_config
...
Match Group FOOGROUP
ForceCommand /bin/customshell
...
There are many users on the machine that are in the “FOOGROUP”.
My question: How can I exclude a given user that is in the “FOOGROUP” from the “Match Group”?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
The Match operator can take multiple arguments, allowing very flexible rules. In this case, you could do something like this to achieve what you want.
Match Group FOOGROUP User !username ForceCommand /bin/customshell
The ! negates the argument passed to the User criterion, so even if the user username is in the group FOOGROUP, the Match will not be successful, and username will not be given the custom shell upon logging in.
Method 2
You need to use multiple clauses in your config file entry but in a very specific way. There is a bug in some setups that cause the generally recommended, and simplest, syntax ( “Match Group FOOGROUP User !username” ) to either cause everyone else in the group to fail to Match or lets them escape their chroot jail.
On Debian Jessie using OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.2d I get the result that everyone else in the group can no longer connect. Others report jail breaks. In both cases a syntax of
Match Group FOOGROUP User *,!username
seems to work without side-effects. Some sort of bug in the parser no doubt.
Method 3
with below option i can jail the sftp user within specified directory and also specified user able to login thru ssh.
Match Group groupname User *,!username
Thanks.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0