From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 20 Aug 2017 08:17:19 +0000 (+0200)
Subject: Do limit group sftponly to sftp
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=e9939dc6025e4d6dbb0b6d27b21490b5574b0f29;p=mirror%2Fdsa-puppet.git

Do limit group sftponly to sftp
---

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index b0e690f2d..9b49f2fc8 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -85,3 +85,9 @@ UsePAM yes
 AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more
 
 PasswordAuthentication no
+
+Match Group sftponly
+  AllowStreamLocalForwarding no
+  AllowTCPForwarding no
+  X11Forwarding no
+  ForceCommand internal-sftp