There is a Match group in the SSHD config:
cat /etc/ssh/sshd_config ... Match Group FOOGROUP ForceCommand /bin/customshell ... There are many users on the machine that are in the "FOOGROUP".
My question: How can I exclude a given user that is in the "FOOGROUP" from the "Match Group"?
The Match operator can take multiple arguments, allowing very flexible rules. In this case, you could do something like this to achieve what you want.
Match Group FOOGROUP User !username ForceCommand /bin/customshell The ! negates the argument passed to the User criterion, so even if the user username is in the group FOOGROUP, the Match will not be successful, and username will not be given the custom shell upon logging in.
*,!username is a more clean approach. Yet another case your solution fail is mixing this kind of Match with ChrootDirectory (tested on both openssh 5.3p1 and 7.4p1). You need to use multiple clauses in your config file entry but in a very specific way. There is a bug in some setups that cause the generally recommended, and simplest, syntax ( "Match Group FOOGROUP User !username" ) to either cause everyone else in the group to fail to Match or lets them escape their chroot jail.
On Debian Jessie using OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.2d I get the result that everyone else in the group can no longer connect. Others report jail breaks. In both cases a syntax of
Match Group FOOGROUP User *,!username seems to work without side-effects. Some sort of bug in the parser no doubt.
with below option i can jail the sftp user within specified directory and also specified user able to login thru ssh.
Match Group groupname User *,!username Thanks.
