alternative to sshd first-match-only MATCH configuration
Given an openssh (1:7.2p2-4ubuntu2.6 on ubuntu 16.04) installation, I find myself with multiple tiers of groups that I'd like to work with. The way I'm trying to set up the groups is effectively this:
- Port-forwarding
- Forward to local ports only
- Above, plus a few remote ports
- Forward "any" port
- Access
- SFTP-only (e.g.,
ForceCommand internal-sftp), chrooted - SFTP-only, not chrooted
- Full shell access
- SFTP-only (e.g.,
I'll use groups named unimaginatively pf1, pf2, pf3, and acc1, acc2, acc3, respectively.
The way the man page words it
The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria.
it sounds like the only way to do this is effectively
Match Group pf1,acc1
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf1,acc2
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345
Match Group pf2,acc1
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3,acc1
#PermitOpen any
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
#PermitOpen any
ForceCommand internal-sftp
Match Group pf1,acc3
#PermitOpen any
I could possibly save a couple lines by defaulting to one set of PermitOpen and such, but it doesn't remove the need to iterate through every possible combination of the two sets of groups with disparate types of restrictions. If there are any other special-cases (these three users have one special need), then I need to multiply the number of their distinct groups ...
I know the config doesn't seem to allow this, but am I missing something or is it really this literal and enumerative?
Ultimately I'd just want to use something that lets me do a more additive approach:
Match Group pf1
PermitOpen localhost:1234 localhost:2345
Match Group pf2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3
#PermitOpen any
Match Group acc1
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group acc2
ForceCommand internal-sftp
Match Group acc3
# not needed
for readability as well as ease of configuration.
Background searches:
- the mailing list does not turn up much over the last couple of years, I might need to expand my search parameters (this is just one set of searches)
- not quite related: How to exclude from a "Match Group" in SSHD?
- I believe dropbear does not support this level of precise control
openssh sshd
asked 11 mins ago
r2evans
587
add a comment |
Given an openssh (1:7.2p2-4ubuntu2.6 on ubuntu 16.04) installation, I find myself with multiple tiers of groups that I'd like to work with. The way I'm trying to set up the groups is effectively this:
- Port-forwarding
- Forward to local ports only
- Above, plus a few remote ports
- Forward "any" port
- Access
- SFTP-only (e.g.,
ForceCommand internal-sftp), chrooted - SFTP-only, not chrooted
- Full shell access
- SFTP-only (e.g.,
I'll use groups named unimaginatively pf1, pf2, pf3, and acc1, acc2, acc3, respectively.
The way the man page words it
The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria.
it sounds like the only way to do this is effectively
Match Group pf1,acc1
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf1,acc2
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345
Match Group pf2,acc1
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3,acc1
#PermitOpen any
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
#PermitOpen any
ForceCommand internal-sftp
Match Group pf1,acc3
#PermitOpen any
I could possibly save a couple lines by defaulting to one set of PermitOpen and such, but it doesn't remove the need to iterate through every possible combination of the two sets of groups with disparate types of restrictions. If there are any other special-cases (these three users have one special need), then I need to multiply the number of their distinct groups ...
I know the config doesn't seem to allow this, but am I missing something or is it really this literal and enumerative?
Ultimately I'd just want to use something that lets me do a more additive approach:
Match Group pf1
PermitOpen localhost:1234 localhost:2345
Match Group pf2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3
#PermitOpen any
Match Group acc1
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group acc2
ForceCommand internal-sftp
Match Group acc3
# not needed
for readability as well as ease of configuration.
Background searches:
- the mailing list does not turn up much over the last couple of years, I might need to expand my search parameters (this is just one set of searches)
- not quite related: How to exclude from a "Match Group" in SSHD?
- I believe dropbear does not support this level of precise control
openssh sshd
asked 11 mins ago
r2evans
587
add a comment |
Given an openssh (1:7.2p2-4ubuntu2.6 on ubuntu 16.04) installation, I find myself with multiple tiers of groups that I'd like to work with. The way I'm trying to set up the groups is effectively this:
- Port-forwarding
- Forward to local ports only
- Above, plus a few remote ports
- Forward "any" port
- Access
- SFTP-only (e.g.,
ForceCommand internal-sftp), chrooted - SFTP-only, not chrooted
- Full shell access
- SFTP-only (e.g.,
I'll use groups named unimaginatively pf1, pf2, pf3, and acc1, acc2, acc3, respectively.
The way the man page words it
The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria.
it sounds like the only way to do this is effectively
Match Group pf1,acc1
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf1,acc2
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345
Match Group pf2,acc1
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3,acc1
#PermitOpen any
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
#PermitOpen any
ForceCommand internal-sftp
Match Group pf1,acc3
#PermitOpen any
I could possibly save a couple lines by defaulting to one set of PermitOpen and such, but it doesn't remove the need to iterate through every possible combination of the two sets of groups with disparate types of restrictions. If there are any other special-cases (these three users have one special need), then I need to multiply the number of their distinct groups ...
I know the config doesn't seem to allow this, but am I missing something or is it really this literal and enumerative?
Ultimately I'd just want to use something that lets me do a more additive approach:
Match Group pf1
PermitOpen localhost:1234 localhost:2345
Match Group pf2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3
#PermitOpen any
Match Group acc1
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group acc2
ForceCommand internal-sftp
Match Group acc3
# not needed
for readability as well as ease of configuration.
Background searches:
- the mailing list does not turn up much over the last couple of years, I might need to expand my search parameters (this is just one set of searches)
- not quite related: How to exclude from a "Match Group" in SSHD?
- I believe dropbear does not support this level of precise control
openssh sshd
asked 11 mins ago
r2evans
587
Given an openssh (1:7.2p2-4ubuntu2.6 on ubuntu 16.04) installation, I find myself with multiple tiers of groups that I'd like to work with. The way I'm trying to set up the groups is effectively this:
- Port-forwarding
- Forward to local ports only
- Above, plus a few remote ports
- Forward "any" port
- Access
- SFTP-only (e.g.,
ForceCommand internal-sftp), chrooted - SFTP-only, not chrooted
- Full shell access
- SFTP-only (e.g.,
I'll use groups named unimaginatively pf1, pf2, pf3, and acc1, acc2, acc3, respectively.
The way the man page words it
The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria.
it sounds like the only way to do this is effectively
Match Group pf1,acc1
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf1,acc2
PermitOpen localhost:1234 localhost:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345
Match Group pf2,acc1
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
ForceCommand internal-sftp
Match Group pf1,acc3
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3,acc1
#PermitOpen any
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group pf2,acc2
#PermitOpen any
ForceCommand internal-sftp
Match Group pf1,acc3
#PermitOpen any
I could possibly save a couple lines by defaulting to one set of PermitOpen and such, but it doesn't remove the need to iterate through every possible combination of the two sets of groups with disparate types of restrictions. If there are any other special-cases (these three users have one special need), then I need to multiply the number of their distinct groups ...
I know the config doesn't seem to allow this, but am I missing something or is it really this literal and enumerative?
Ultimately I'd just want to use something that lets me do a more additive approach:
Match Group pf1
PermitOpen localhost:1234 localhost:2345
Match Group pf2
PermitOpen localhost:1234 localhost:2345 remote1:1234 remote2:2345
Match Group pf3
#PermitOpen any
Match Group acc1
ForceCommand internal-sftp
ChrootDirectory /somepath
Match Group acc2
ForceCommand internal-sftp
Match Group acc3
# not needed
for readability as well as ease of configuration.
Background searches:
- the mailing list does not turn up much over the last couple of years, I might need to expand my search parameters (this is just one set of searches)
- not quite related: How to exclude from a "Match Group" in SSHD?
- I believe dropbear does not support this level of precise control
openssh sshd
openssh sshd
asked 11 mins ago
r2evans
587
asked 11 mins ago
r2evans
587
asked 11 mins ago
r2evans
587
asked 11 mins ago
r2evans
587
asked 11 mins ago
r2evans
587
587
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492928%2falternative-to-sshd-first-match-only-match-configuration%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492928%2falternative-to-sshd-first-match-only-match-configuration%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
