From 33ee94555711434bde32371af6e745c413466ad2 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Fri, 16 Jan 2015 22:56:59 +0100 Subject: [PATCH 1/2] Added AllowUsers,AllowGroups,DenyUsers,DenyGroups This will add more options to set to secure openssh - AllowUsers - AllowGroups - DenyUsers - DenyGroups --- openssh/files/sshd_config | 19 +++++++++++++++++++ pillar.example | 2 ++ 2 files changed, 21 insertions(+) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 2985fb3..f0be13a 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -137,6 +137,25 @@ # DNS resolve and map remote IP addresses {{ option('UseDNS', 'yes') }} +# Restricting Users and Hosts +# example: +# AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke +# AllowGroups wheel staff +# +# Keep in mind that using AllowUsers or AllowGroups means that anyone +# not Matching one of the supplied patterns will be denied access by default. +# Also, in order for sshd to allow access based on full or partial hostnames it +# needs to to a DNS lookup +# +# DenyUsers +{{ option('DenyUsers', '') }} +# AllowUsers +{{ option('AllowUsers', '') }} +# DenyGroups +{{ option('DenyGroups', '') }} +# AllowGroups +{{ option('AllowGroups', '') }} + {# Handling unknown in salt template options #} {%- for keyword in sshd_config.keys() %} {#- Matches have to be at the bottem and should be handled differently -#} diff --git a/pillar.example b/pillar.example index 264d112..9f32fce 100644 --- a/pillar.example +++ b/pillar.example @@ -32,6 +32,8 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' + AllowGroups: 'wheel staff' matches: sftp_chroot: type: From 6e65cdad03d4e858de4c7cab7751ad5d8117c9b1 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Sat, 17 Jan 2015 20:04:03 +0100 Subject: [PATCH 2/2] add DenyUsers and DenyGroups example --- pillar.example | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 9f32fce..e3f7a27 100644 --- a/pillar.example +++ b/pillar.example @@ -33,7 +33,10 @@ sshd_config: UsePAM: 'yes' UseDNS: 'yes' AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' - AllowGroups: 'wheel staff' + DenyUsers: 'yoda chewbaca@112.10.21.1' + AllowGroups: 'wheel staff imperial' + DenyGroups: 'rebel' + Deny matches: sftp_chroot: type: