From efaf63c8d6c7b96b1ee2de6a13320bb7690701c6 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 7 Nov 2017 00:09:47 +0100 Subject: [PATCH] sshd config: variables and template to optionally add a chrooted sftp environment. --- sshd_config/defaults/main.yml | 7 ++++++- sshd_config/templates/sshd_config.j2 | 23 ++++++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/sshd_config/defaults/main.yml b/sshd_config/defaults/main.yml index 85ca47d..2d76920 100644 --- a/sshd_config/defaults/main.yml +++ b/sshd_config/defaults/main.yml @@ -14,7 +14,6 @@ sshd_strict_mode: "yes" sshd_use_pam: "yes" # set to "yes" only if you are using s/key or something equivalent sshd_challenge_response_authentication: "no" -sshd_enable_sftp_subsystem: True sshd_use_login: "no" sshd_permit_tunnel: "no" sshd_gssapi_authentication: "no" @@ -27,3 +26,9 @@ sshd_show_patchlevel: "no" # Usually /etc/issue.net sshd_banner_path: "none" sshd_acceptenv: "LANG LC_*" +# +sshd_enable_sftp_subsystem: True +sshd_enable_sftp_jail: False +sshd_sftp_chroot_match_group: filetransfer +sshd_sftp_chroot_directory: '%h' +sshd_sftp_force_command: 'internal-sftp' diff --git a/sshd_config/templates/sshd_config.j2 b/sshd_config/templates/sshd_config.j2 index 6860912..dd65668 100644 --- a/sshd_config/templates/sshd_config.j2 +++ b/sshd_config/templates/sshd_config.j2 @@ -59,28 +59,31 @@ GSSAPIAuthentication {{ sshd_gssapi_authentication }} GSSAPICleanupCredentials {{ sshd_gssapi_credentials }} PermitTunnel {{ sshd_permit_tunnel }} +{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %} +X11Forwarding no +{% else %} X11Forwarding {{ sshd_x11_forwarding }} +{% endif %} X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes UseLogin {{ sshd_use_login }} AllowAgentForwarding {{ sshd_agent_forwarding }} +{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %} +AllowTcpForwarding no +{% else %} AllowTcpForwarding {{ sshd_tcp_forwarding }} +{% endif %} PermitUserEnvironment {{ sshd_permit_user_environment }} # ShowPatchLevel {{ sshd_show_patchlevel }} #MaxStartups 10:30:60 Banner {{ sshd_banner_path }} - # Allow client to pass locale environment variables AcceptEnv LANG LC_* -{% if sshd_enable_sftp_subsystem %} -Subsystem sftp /usr/lib/openssh/sftp-server -{% endif %} - # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and @@ -91,3 +94,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM {{ sshd_use_pam }} + +{% if sshd_enable_sftp_subsystem %} +Subsystem sftp /usr/lib/openssh/sftp-server +{% if sshd_enable_sftp_jail %} +Match Group {{ sshd_sftp_chroot_match_group }} +ChrootDirectory {{ sshd_sftp_chroot_directory }} +ForceCommand {{ sshd_sftp_force_command }} +{% endif %} +{% endif %} +