From 9cdb9aaba0c500f43b73d0bd3f1764633e3e7c88 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Mon, 21 Aug 2017 23:35:04 +0200 Subject: [PATCH] improve allow_deny_users_groups --- openssh/files/sshd_config | 9 +++++---- pillar.example | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index b0ca8d4..ffa8e57 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -208,13 +208,14 @@ # needs to to a DNS lookup # # DenyUsers -{{ option('DenyUsers', '') }} +{{ option_string_or_list('DenyUsers', '', True , sep=' ')}} # AllowUsers -{{ option('AllowUsers', '') }} +{{ option_string_or_list('AllowUsers', '', True , sep=' ')}} # DenyGroups -{{ option('DenyGroups', '') }} +{{ option_string_or_list('DenyGroups', '', True , sep=' ')}} # AllowGroups -{{ option('AllowGroups', '') }} +{{ option_string_or_list('AllowGroups', '', True , sep=' ')}} + # Specifies the available KEX (Key Exchange) algorithms. {{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }} diff --git a/pillar.example b/pillar.example index a1c6de7..935fb57 100644 --- a/pillar.example +++ b/pillar.example @@ -44,10 +44,33 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + # set as string AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' + # or set as list + AllowUsers: + - vader@10.0.0.1 + - maul@evil.com + - sidious + - luke + # set as string DenyUsers: 'yoda chewbaca@112.10.21.1' + # or set as list + DenyUsers: + - yoda + - chewbaca@112.10.21.1 + # set as string AllowGroups: 'wheel staff imperial' + # or set as list + AllowGroups: + - wheel + - staff + - imperial + # set as string DenyGroups: 'rebel' + # or set as list + DenyGroups: + - rebel + - badcompany matches: sftp_chroot: type: