sshd with multiple match sections, override settings

Question

I have the situation where sshd should permit sftp only access to a group of users.

This is easily done by adding a match section like

Match Group groupname
    ChrootDirectory /srv/ftp
    ForceCommand internal-sftp

Now I need to exclude one user that is a member of this group. He should have normal shell access.

Match User username
    ChrootDirectory ???
    ForceCommand ???

What do I set here? Is it possible to unset configuration directives previuosly set with another matching section?

Answer 1

First apply the settings to the group, excluding user username, then apply (other) settings to user username. If you do not use the 'ForceCommand' setting for user username, it is not applied.

Match Group groupname User !username
   ChrootDirectory /srv/ftp
   ForceCommand internal-sftp
Match User username
   PasswordAuthentication yes

Another example is where you may want different settings if the user logs in from different ip-addresses

#all users except username1 and username2 default to sftp
Match User *,!username1,!username2
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -f LOCAL0 -l INFO

#normal ssh allowed for users username1 and username2 from the local network
Match User username1,username2 Address 192.168.0.0/16
    PasswordAuthentication yes

#users username1 and username2 not allowed from other networks
Match User username1,username2 Address *,!192.168.0.0/16
    PasswordAuthentication yes
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /usr/sbin/nologin