I try to set up two "Match Group" directives in sshd_config. I have an LDAP server. All users including admins are part of the LDAP group users. The admins users are also part of the LDAP group wheel. For example: [~]groups admin1 admin1 : users wheel [~]groups users user1 : users On a client server to LDAP, I try to configure two "Match Group" directives in sshd_config as follows: Match Group wheel some keywords... Match Group users some keywords... The problem is that even if a user is a member of LDAP group wheel, the "Match Group wheel" directive is skipped in favor of the "Match Group users" directive. Is it possible to have two "Match Group" directives as I like to do it? If yes, what is wrong in my configuration? Thanks,
A detail I forgot... The need is to have members of the groups wheel and users being dropped to a shell and administer the server while members of only the group users have a script started forcing them to a few command on the server. On Tue, Feb 28, 2017 at 10:50 AM, Bernard Fay <bernard.fay at gmail.com> wrote:> I try to set up two "Match Group" directives in sshd_config. > > I have an LDAP server. All users including admins are part of the LDAP > group users. The admins users are also part of the LDAP group wheel. For > example: > > [~]groups admin1 > admin1 : users wheel > [~]groups users > user1 : users > > On a client server to LDAP, I try to configure two "Match Group" > directives in sshd_config as follows: > > Match Group wheel > some keywords... > > Match Group users > some keywords... > > > The problem is that even if a user is a member of LDAP group wheel, the > "Match Group wheel" directive is skipped in favor of the "Match Group > users" directive. > > Is it possible to have two "Match Group" directives as I like to do it? > If yes, what is wrong in my configuration? > > Thanks, > >
> Am 28.02.2017 um 17:02 schrieb Bernard Fay <bernard.fay at gmail.com>: > > A detail I forgot... > > The need is to have members of the groups wheel and users being dropped to > a shell and administer the server while members of only the group users > have a script started forcing them to a few command on the server. >man sshd_config: The match patterns may consist of single entries or comma-separated lists ... Match Group wheel,users -- LF