Re: Disabling ForceCommand in a Match block

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============2026932867==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigA04BF7DC9D793AEB26FF8A97"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA04BF7DC9D793AEB26FF8A97
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Iain Morgan wrote:
> It would be more in keeping with the general syntax of the ssh_config=20
> (and the preferrence of keeping the number of options to a minimum)
> to have ForcedCommand accept the special keyword 'none'.

This would prevent being able to call the command 'none'. I guess that's =
ok.

>> Is there a better way to do this? Possibly without patching openssh?
>=20
> I have to admit, I haven't played around with the Match keyword much.
> If it accepted negation (I don't recall if it does), you could do
> something like:
>=20
> Match ! Group wheel
> ForceCommand /usr/bin/validate-ssh-command

Yes, that would be nice. Unfortunately, it doesn't work (I just tried it)=
=2E

-- Remy


--------------enigA04BF7DC9D793AEB26FF8A97
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFGSyZqCeNfIyhvXjIRAm67AJ91pkeaXDSXl1Ix7yFwe3 up6ONhGQCgwC4j
pk8wLREODPzixooHDOVCRi4=
=COTA
-----END PGP SIGNATURE-----

--------------enigA04BF7DC9D793AEB26FF8A97--


--===============2026932867==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev

--===============2026932867==--