How can the Address condition in a Match conditional block in sshd_config be negated?

ssh cygwin-sshd

I would like to force users into a specific command when they log in from outside my LAN via SSH to my LAN. My idea was, to use ForceCommand in a Match conditional block, that matches all addresses except for the ones in my LAN.

I have tried the following, according to man 5 sshd_config:

  • Match Address !192.168.1.0/24 allowed users from anywhere to execute any command.
  • Match Address !192.168.* allowed users from anywhere to execute any command.
  • Match !Address 192.168.* prevented execution of any command by means of sshd refusing to start.

Negating a pattern using ! is described in man 5 ssh_config (Section "Patterns"). How can this be applied to addresses?


According to this ServerFault answer, for some unknown reason, you need to add a wildcard match in order to do this. CIDR notation does however seem to work. For example:

Match Address *,!192.168.1.0/24
    ForceCommand /bin/false

This works for me with OpenSSH 5.9p1.

Related

Unable to dcpromo new 2008 Server in 2000 domain
Can I prevent IIS from recycling if /bin changes?
Where can I get the default /etc/hosts file for Debian Sid?
PHP on IIS 7.5/W2K8 using IUSR Account not IIS_APPPOOL\DefaultAppPool
Setting up mail accounts without real Linux users
Resize /var partition on a remote system (Linux Debian Lenny)
Increasing timeout for mod_proxy_ajp connections
Windows 2016 updates and Active Hours
How to transfer user accounts to a new Linux machine?
Unknown Database when trying to connect to an AWS RDS instance
Advanced routing with firewall marks and `rp_filter`
How to increase MTU size on Linux 2.6?