Merge pull request #28 from aboe76/allow_deny_users

Added AllowUsers,AllowGroups,DenyUsers,DenyGroups

openssh/files/sshd_config

@@ -137,6 +137,25 @@
 # DNS resolve and map remote IP addresses
 {{ option('UseDNS', 'yes') }}
 
+# Restricting Users and Hosts
+# example:
+#  AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke 
+#  AllowGroups wheel staff
+#
+# Keep in mind that using AllowUsers or AllowGroups means that anyone
+# not Matching one of the supplied patterns will be denied access by default.
+# Also, in order for sshd to allow access based on full or partial hostnames it
+# needs to to a DNS lookup
+#
+# DenyUsers
+{{ option('DenyUsers', '') }}
+# AllowUsers
+{{ option('AllowUsers', '') }}
+# DenyGroups
+{{ option('DenyGroups', '') }}
+# AllowGroups
+{{ option('AllowGroups', '') }}
+
 {# Handling unknown in salt template options #}
 {%- for keyword in sshd_config.keys() %}
   {#- Matches have to be at the bottem and should be handled differently -#}

pillar.example

@@ -32,6 +32,11 @@ sshd_config:
   Subsystem: "sftp /usr/lib/openssh/sftp-server"
   UsePAM: 'yes'
   UseDNS: 'yes'
+  AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
+  DenyUsers: 'yoda chewbaca@112.10.21.1'
+  AllowGroups: 'wheel staff imperial'
+  DenyGroups: 'rebel'
+  Deny
   matches:
     sftp_chroot:
       type: