From 33ee94555711434bde32371af6e745c413466ad2 Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe76@gmail.com>
Date: Fri, 16 Jan 2015 22:56:59 +0100
Subject: [PATCH] Added AllowUsers,AllowGroups,DenyUsers,DenyGroups

This will add more options to set to secure openssh
- AllowUsers
- AllowGroups
- DenyUsers
- DenyGroups
---
 openssh/files/sshd_config | 19 +++++++++++++++++++
 pillar.example            |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index 2985fb3..f0be13a 100644
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -137,6 +137,25 @@
 # DNS resolve and map remote IP addresses
 {{ option('UseDNS', 'yes') }}
 
+# Restricting Users and Hosts
+# example:
+#  AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke 
+#  AllowGroups wheel staff
+#
+# Keep in mind that using AllowUsers or AllowGroups means that anyone
+# not Matching one of the supplied patterns will be denied access by default.
+# Also, in order for sshd to allow access based on full or partial hostnames it
+# needs to to a DNS lookup
+#
+# DenyUsers
+{{ option('DenyUsers', '') }}
+# AllowUsers
+{{ option('AllowUsers', '') }}
+# DenyGroups
+{{ option('DenyGroups', '') }}
+# AllowGroups
+{{ option('AllowGroups', '') }}
+
 {# Handling unknown in salt template options #}
 {%- for keyword in sshd_config.keys() %}
   {#- Matches have to be at the bottem and should be handled differently -#}
diff --git a/pillar.example b/pillar.example
index 264d112..9f32fce 100644
--- a/pillar.example
+++ b/pillar.example
@@ -32,6 +32,8 @@ sshd_config:
   Subsystem: "sftp /usr/lib/openssh/sftp-server"
   UsePAM: 'yes'
   UseDNS: 'yes'
+  AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
+  AllowGroups: 'wheel staff'
   matches:
     sftp_chroot:
       type: