From e9939dc6025e4d6dbb0b6d27b21490b5574b0f29 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 20 Aug 2017 10:17:19 +0200
Subject: [PATCH] Do limit group sftponly to sftp

---
 modules/ssh/templates/sshd_config.erb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index b0e690f2d..9b49f2fc8 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -85,3 +85,9 @@ UsePAM yes
 AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more
 
 PasswordAuthentication no
+
+Match Group sftponly
+  AllowStreamLocalForwarding no
+  AllowTCPForwarding no
+  X11Forwarding no
+  ForceCommand internal-sftp
-- 
2.20.1