Added AllowUsers,AllowGroups,DenyUsers,DenyGroups

This will add more options to set to secure openssh - AllowUsers - AllowGroups - DenyUsers - DenyGroups
2015-01-16 22:56:59 +01:00 · 2015-01-16 22:56:59 +01:00 · 33ee945557
commit 33ee945557
parent 23c725aaeb
2 changed files with 21 additions and 0 deletions
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@ -137,6 +137,25 @@
 # DNS resolve and map remote IP addresses
 {{ option('UseDNS', 'yes') }}

+# Restricting Users and Hosts
+# example:
+#  AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke 
+#  AllowGroups wheel staff
+#
+# Keep in mind that using AllowUsers or AllowGroups means that anyone
+# not Matching one of the supplied patterns will be denied access by default.
+# Also, in order for sshd to allow access based on full or partial hostnames it
+# needs to to a DNS lookup
+#
+# DenyUsers
+{{ option('DenyUsers', '') }}
+# AllowUsers
+{{ option('AllowUsers', '') }}
+# DenyGroups
+{{ option('DenyGroups', '') }}
+# AllowGroups
+{{ option('AllowGroups', '') }}
+
 {# Handling unknown in salt template options #}
 {%- for keyword in sshd_config.keys() %}
  {#- Matches have to be at the bottem and should be handled differently -#}
--- a/pillar.example
+++ b/pillar.example
@ -32,6 +32,8 @@ sshd_config:
  Subsystem: "sftp /usr/lib/openssh/sftp-server"
  UsePAM: 'yes'
  UseDNS: 'yes'
+  AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
+  AllowGroups: 'wheel staff'
  matches:
    sftp_chroot:
      type: