This procedure adds a conditional Match block after the global section of the /etc/ssh/sshd_config file. Keyword-value pairs that follow the Match block specify exceptions for the user, group, host, or address that is specified as the match.
Before You Begin
You must become an administrator who is assigned the solaris.admin.edit/etc/ssh/sshd_config authorization. By default, the root role has this authorization. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
# pfedit /etc/ssh/sshd_config
Place the Match blocks after the global settings.
For example, you might have users who should not be allowed to use TCP forwarding. In this configuration, any user in the group public and any user whose name begins with test cannot use TCP forwarding:
## sshd_config file ## Global settings # Example (default SunSSH values): # # Host * # ForwardAgent no # ForwardX11 no # PubkeyAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking ask # EscapeChar ~ Match Group public AllowTcpForwarding no Match User test* AllowTcpForwarding no
For information about the syntax of the Match keyword, see the sshd_config (4) man page.