On Wed, Jul 2, 2014 at 10:59 AM, Ez Egy <ezegyemailcim...@gmail.com> wrote:
> Match Group GROUPNAME User !root > This does nothing. (but sshd restart doesn't tell it's syntactically > incorrect!!!..., values should be delimited by "," comma.. a groupname will > never have space in it..) > > and: > > Match Group GROUPNAME, User *,!root > This excludes the root if it's in the GROUPNAME group. > There are *two* differences between those lines: 1) the second has a comma after the group name 2) the second has a different pattern for the User condition The first change HAS NO EFFECT. The change in behaviors is completely from the second change. Unlike some other programs' pattern match expressions, in ssh and sshd, starting a pattern match with a negated term does *NOT* implicitly mean "start with everything matching and exclude the negated stuff". A pattern expression in ssh/sshd with only negated items will *NEVER* match. Philip Guenther
