From efaf63c8d6c7b96b1ee2de6a13320bb7690701c6 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 7 Nov 2017 00:09:47 +0100
Subject: [PATCH] sshd config: variables and template to optionally add a
 chrooted sftp environment.

---
 sshd_config/defaults/main.yml        |  7 ++++++-
 sshd_config/templates/sshd_config.j2 | 23 ++++++++++++++++++-----
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/sshd_config/defaults/main.yml b/sshd_config/defaults/main.yml
index 85ca47d5..2d769202 100644
--- a/sshd_config/defaults/main.yml
+++ b/sshd_config/defaults/main.yml
@@ -14,7 +14,6 @@ sshd_strict_mode: "yes"
 sshd_use_pam: "yes"
 # set to "yes" only if you are using s/key or something equivalent
 sshd_challenge_response_authentication: "no"
-sshd_enable_sftp_subsystem: True
 sshd_use_login: "no"
 sshd_permit_tunnel: "no"
 sshd_gssapi_authentication: "no"
@@ -27,3 +26,9 @@ sshd_show_patchlevel: "no"
 # Usually /etc/issue.net
 sshd_banner_path: "none"
 sshd_acceptenv: "LANG LC_*"
+#
+sshd_enable_sftp_subsystem: True 
+sshd_enable_sftp_jail: False
+sshd_sftp_chroot_match_group: filetransfer
+sshd_sftp_chroot_directory: '%h'
+sshd_sftp_force_command: 'internal-sftp'
diff --git a/sshd_config/templates/sshd_config.j2 b/sshd_config/templates/sshd_config.j2
index 6860912c..dd656685 100644
--- a/sshd_config/templates/sshd_config.j2
+++ b/sshd_config/templates/sshd_config.j2
@@ -59,28 +59,31 @@ GSSAPIAuthentication {{ sshd_gssapi_authentication }}
 GSSAPICleanupCredentials {{ sshd_gssapi_credentials }}
 
 PermitTunnel {{ sshd_permit_tunnel }}
+{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
+X11Forwarding no
+{% else %}
 X11Forwarding {{ sshd_x11_forwarding }}
+{% endif %}
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
 UseLogin {{ sshd_use_login }}
 AllowAgentForwarding {{ sshd_agent_forwarding }}
+{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
+AllowTcpForwarding no
+{% else %}
 AllowTcpForwarding {{ sshd_tcp_forwarding }}
+{% endif %}
 PermitUserEnvironment {{ sshd_permit_user_environment }}
 # ShowPatchLevel {{ sshd_show_patchlevel }}
 
 #MaxStartups 10:30:60
 Banner {{ sshd_banner_path }}
 
-
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-{% if sshd_enable_sftp_subsystem %}
-Subsystem sftp /usr/lib/openssh/sftp-server
-{% endif %}
-
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
@@ -91,3 +94,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM {{ sshd_use_pam }}
+
+{% if sshd_enable_sftp_subsystem %}
+Subsystem sftp /usr/lib/openssh/sftp-server
+{% if sshd_enable_sftp_jail %}
+Match Group {{ sshd_sftp_chroot_match_group }}
+ChrootDirectory {{ sshd_sftp_chroot_directory }}
+ForceCommand {{ sshd_sftp_force_command }}
+{% endif %}
+{% endif %}
+