On Sat, May 27, 2006 at 10:28:00AM +0000, Thorsten Glaser wrote:
> Hello,
>
> I wonder whether it's possible to have a per-user configuration
> for sshd (embedded in sshd_config(5) if possible), where you can,
> for example, have the following:
>
> Users *
> PermitEmptyPasswords no
> AllowTcpForwarding yes
> Users anoncvs anonwhatever yetanotherservice
> PermitEmptyPasswords yes
> AllowTcpForwarding no

Right now, you can do some of those things (eg disabling port forwarding)
through key restrictions, but you can't do it for the general case.

There's work going on (slowly :-) to add that kind of thing via a "Match"
directive. See: http://bugzilla.mindrot.org/show_bug.cgi?id=match

There's a patch against -portable (I also have the equivalent one against
OpenBSD which I will dig up and attach).

The Match directive overrides the default. With it, your example would be
implemented as:

PermitEmptyPasswords no
AllowTcpForwarding yes
Match User anoncvs,anonwhatever,yetanotherservice
PermitEmptyPasswords yes
AllowTcpForwarding no

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.