improve allow_deny_users_groups

openssh/files/sshd_config

@@ -208,13 +208,14 @@
 # needs to to a DNS lookup
 #
 # DenyUsers
-{{ option('DenyUsers', '') }}
+{{ option_string_or_list('DenyUsers', '', True , sep=' ')}}
 # AllowUsers
-{{ option('AllowUsers', '') }}
+{{ option_string_or_list('AllowUsers', '', True , sep=' ')}}
 # DenyGroups
-{{ option('DenyGroups', '') }}
+{{ option_string_or_list('DenyGroups', '', True , sep=' ')}}
 # AllowGroups
-{{ option('AllowGroups', '') }}
+{{ option_string_or_list('AllowGroups', '', True , sep=' ')}}
+
 
 # Specifies the available KEX (Key Exchange) algorithms.
 {{ option_string_or_list('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1', True) }}

pillar.example

@@ -44,10 +44,33 @@ sshd_config:
   Subsystem: "sftp /usr/lib/openssh/sftp-server"
   UsePAM: 'yes'
   UseDNS: 'yes'
+  # set as string
   AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
+  # or set as list
+  AllowUsers: 
+    - vader@10.0.0.1 
+    - maul@evil.com 
+    - sidious 
+    - luke
+  # set as string 
   DenyUsers: 'yoda chewbaca@112.10.21.1'
+  # or set as list
+  DenyUsers:
+    - yoda
+    - chewbaca@112.10.21.1
+  # set as string
   AllowGroups: 'wheel staff imperial'
+  # or set as list
+  AllowGroups:
+    - wheel
+    - staff
+    - imperial
+  # set as string
   DenyGroups: 'rebel'
+  # or set as list
+  DenyGroups:
+    - rebel
+    - badcompany
   matches:
     sftp_chroot:
       type: