sshd_config match negate address

tl;dr

Match Address *,!192.168.1.0/24

Negating address in match statement in sshd_config

I was locking down my ssh server configuration on a host, so that it will not accept password auth from outside a certain IP address range.
I had to learn how to get the Match Address directive to work with a negation. To make it work, you need to insert a wildcard before you then state the exclusion.

Match Address *,!192.168.1.0/24

And then I added the directives for this matched IP address range.

   AuthenticationMethods publickey
   PubkeyAuthentication yes
   PasswordAuthentication no
   X11Forwarding no

References

Weblinks

  1. https://serverfault.com/questions/408284/how-can-the-address-condition-in-a-match-conditional-block-in-sshd-config-be-neg

Man pages

  1. sshd_config
  2. ssh_config

sudoers Match AD group

Using AD groups in sudoers

When you need to add an Active Directory group to the sudoers, you need to know a few things.
I learned from the sudoers man page that alias names can only be in capital letters, numbers, and underscores.
Also, when you use an AD group in a sudoers file (in my case, /etc/sudoers.d/70_web-dev_grp), you prepend the group name with a percent sign.

Also, I’m pretty sure you need to have the casing of the group name exactly correct, but I haven’t tested other casings and don’t plan to. If you know anything about this, comment and let me know!

User_Alias WEBDEVGRP = %Web-dev_grp
WEBDEVGRP ALL=(ALL) /sbin/apachectl

Reference

http://serverfault.com/questions/436037/sudoers-file-allow-sudo-on-specific-file-for-active-directory-group/444875#444875

sshd_config Match AD group

Overview

I use CentOS 7. One of the biggest reasons I join my servers to Active Directory is for the users and groups. Getting sshd_config to work with AD-defined groups is easy and just needs the smallest amount of work.

If you want to use sftp, and have rules for just a specific AD group, you need to specify the group name exactly as it is cased.
[root@amazon|/var/log]# getent group Web_Dev_Grp
web_dev_grp:*:5829038:asmith,rltompki,fkowalks,bangel,lfrederi

So use the “web_dev_grp” as shown in your sshd_config:
Match Group web_dev_grp
ChrootDirectory /var/www
ForceCommand internal-sftp

Show all non-blank non-comment lines in file

If you want to see just the lines with content, such as in a config file, use this one-liner:

grep -viE '^\s*((#|;).*)?$' smb.conf

How it works

grep -v means invert the selection, i.e., everything that does not match this search.
-iE case Insensitive, and treat this as a regular Expression. Technically there are no letters being searched, so the i is irrelevant, but I always use it in my searches anyway.
^ start of line
\s* white space, any amount from zero onward. This is a greedy search, so it will match all the white space (spaces, tabs, etc.)
(#|;) either a pound or a semicolon, which usually denote comments in config files (in my case, smb.conf)
((#|;).*) the above sentence, followed by any character (the period), and any amount of those “any characters.”
((#|;).*)? the whole thing in parentheses shown here, optionally.
$ end of line
So any line that starts with any amount of white space, followed by (a comment symbol, followed by anything else) optionally, and the end of the line.
So show everything but the above sentence, and tada, just the important stuff.