sshd config: variables and template to optionally add a chrooted sftp environment.
This commit is contained in:
Andrea Dell'Amico
parent
14f4fc2c08
commit
efaf63c8d6
|
|
@ -14,7 +14,6 @@ sshd_strict_mode: "yes"
|
|||
sshd_use_pam: "yes"
|
||||
# set to "yes" only if you are using s/key or something equivalent
|
||||
sshd_challenge_response_authentication: "no"
|
||||
sshd_enable_sftp_subsystem: True
|
||||
sshd_use_login: "no"
|
||||
sshd_permit_tunnel: "no"
|
||||
sshd_gssapi_authentication: "no"
|
||||
|
|
@ -27,3 +26,9 @@ sshd_show_patchlevel: "no"
|
|||
# Usually /etc/issue.net
|
||||
sshd_banner_path: "none"
|
||||
sshd_acceptenv: "LANG LC_*"
|
||||
#
|
||||
sshd_enable_sftp_subsystem: True
|
||||
sshd_enable_sftp_jail: False
|
||||
sshd_sftp_chroot_match_group: filetransfer
|
||||
sshd_sftp_chroot_directory: '%h'
|
||||
sshd_sftp_force_command: 'internal-sftp'
|
||||
|
|
|
|||
|
|
@ -59,28 +59,31 @@ GSSAPIAuthentication {{ sshd_gssapi_authentication }}
|
|||
GSSAPICleanupCredentials {{ sshd_gssapi_credentials }}
|
||||
|
||||
PermitTunnel {{ sshd_permit_tunnel }}
|
||||
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
|
||||
X11Forwarding no
|
||||
{% else %}
|
||||
X11Forwarding {{ sshd_x11_forwarding }}
|
||||
{% endif %}
|
||||
X11DisplayOffset 10
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
UseLogin {{ sshd_use_login }}
|
||||
AllowAgentForwarding {{ sshd_agent_forwarding }}
|
||||
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
|
||||
AllowTcpForwarding no
|
||||
{% else %}
|
||||
AllowTcpForwarding {{ sshd_tcp_forwarding }}
|
||||
{% endif %}
|
||||
PermitUserEnvironment {{ sshd_permit_user_environment }}
|
||||
# ShowPatchLevel {{ sshd_show_patchlevel }}
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
Banner {{ sshd_banner_path }}
|
||||
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
{% if sshd_enable_sftp_subsystem %}
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% endif %}
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
|
|
@ -91,3 +94,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM {{ sshd_use_pam }}
|
||||
|
||||
{% if sshd_enable_sftp_subsystem %}
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
{% if sshd_enable_sftp_jail %}
|
||||
Match Group {{ sshd_sftp_chroot_match_group }}
|
||||
ChrootDirectory {{ sshd_sftp_chroot_directory }}
|
||||
ForceCommand {{ sshd_sftp_force_command }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue