sshd config: variables and template to optionally add a chrooted sftp environment.

This commit is contained in:
Andrea Dell'Amico 2017-11-07 00:09:47 +01:00
parent 14f4fc2c08
commit efaf63c8d6
2 changed files with 24 additions and 6 deletions

View File

@ -14,7 +14,6 @@ sshd_strict_mode: "yes"
sshd_use_pam: "yes"
# set to "yes" only if you are using s/key or something equivalent
sshd_challenge_response_authentication: "no"
sshd_enable_sftp_subsystem: True
sshd_use_login: "no"
sshd_permit_tunnel: "no"
sshd_gssapi_authentication: "no"
@ -27,3 +26,9 @@ sshd_show_patchlevel: "no"
# Usually /etc/issue.net
sshd_banner_path: "none"
sshd_acceptenv: "LANG LC_*"
#
sshd_enable_sftp_subsystem: True
sshd_enable_sftp_jail: False
sshd_sftp_chroot_match_group: filetransfer
sshd_sftp_chroot_directory: '%h'
sshd_sftp_force_command: 'internal-sftp'

View File

@ -59,28 +59,31 @@ GSSAPIAuthentication {{ sshd_gssapi_authentication }}
GSSAPICleanupCredentials {{ sshd_gssapi_credentials }}
PermitTunnel {{ sshd_permit_tunnel }}
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
X11Forwarding no
{% else %}
X11Forwarding {{ sshd_x11_forwarding }}
{% endif %}
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin {{ sshd_use_login }}
AllowAgentForwarding {{ sshd_agent_forwarding }}
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
AllowTcpForwarding no
{% else %}
AllowTcpForwarding {{ sshd_tcp_forwarding }}
{% endif %}
PermitUserEnvironment {{ sshd_permit_user_environment }}
# ShowPatchLevel {{ sshd_show_patchlevel }}
#MaxStartups 10:30:60
Banner {{ sshd_banner_path }}
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
{% if sshd_enable_sftp_subsystem %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
@ -91,3 +94,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM {{ sshd_use_pam }}
{% if sshd_enable_sftp_subsystem %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% if sshd_enable_sftp_jail %}
Match Group {{ sshd_sftp_chroot_match_group }}
ChrootDirectory {{ sshd_sftp_chroot_directory }}
ForceCommand {{ sshd_sftp_force_command }}
{% endif %}
{% endif %}