From 587faf55550674751d9348630980c3f8b5600d2b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 10 Apr 2020 18:12:37 +0200 Subject: [PATCH] sshd: add more limits to the 'sftp only' users. --- library/roles/sshd_config/templates/sshd_config.j2 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/library/roles/sshd_config/templates/sshd_config.j2 b/library/roles/sshd_config/templates/sshd_config.j2 index e122bf5f..57118ebc 100644 --- a/library/roles/sshd_config/templates/sshd_config.j2 +++ b/library/roles/sshd_config/templates/sshd_config.j2 @@ -96,12 +96,19 @@ AcceptEnv LANG LC_* UsePAM {{ sshd_use_pam }} {% if sshd_enable_sftp_subsystem %} -Subsystem sftp internal-sftp +{% if ansible_distribution_file_variety == 'RedHat' %} +Subsystem sftp /usr/libexec/openssh/sftp-server +{% else %} +Subsystem sftp /usr/lib/openssh/sftp-server +{% endif %} {% if sshd_enable_sftp_jail %} - Match Group {{ sshd_sftp_chroot_match_group }} +Match Group {{ sshd_sftp_chroot_match_group }} ChrootDirectory {{ sshd_sftp_chroot_directory }} - X11Forwarding no + ForceCommand {{ sshd_sftp_force_command }} + PermitTunnel no + AllowAgentForwarding no AllowTcpForwarding no + X11Forwarding no {% endif %} {% endif %}