System Administration Guide: Security Services

ProcedureHow to Create User and Host Exceptions to SSH System Defaults

This procedure adds a conditional Match block after the global section of the /etc/ssh/sshd_config file. Keyword-value pairs that follow the Match block specify exceptions for the user, group, host, or address that is specified as the match.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Edit the sshd_config file.

  3. Configure a user, group, host, or address to use different SSH keyword settings from the default settings.

    Place the Match blocks after the global settings.

    Note –

    The global section of the file might or might not list the default settings. For the defaults, see the sshd_config(4) man page.

    You might have users who should not be allowed to use TCP forwarding. In the following example, any user in the group public, and any user name that begins with test cannot use TCP forwarding:

    ## sshd_config file
    ## Global settings
    # Example (reflects default settings):
    # Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   PubkeyAuthentication yes
    #   PasswordAuthentication yes
    #   FallBackToRsh no
    #   UseRsh no
    #   BatchMode no
    #   CheckHostIP yes
    #   StrictHostKeyChecking ask
    #   EscapeChar ~
    Match Group public
     AllowTcpForwarding no
    Match User test*
     AllowTcpForwarding no

    For information about the syntax of the Match block, see the sshd_config(4) man page.