From 0d30e54fd5b3bc9d8671aafe09dbafe7424737e1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 1 Feb 2024 10:29:32 -0600
Subject: [PATCH] r/fileserver: Restrict non-administrators to SFTP

Normal users do not need shell access to the file server, and certainly
should not be allowed to e.g. forward ports through it.  Using a `Match`
block, we can apply restrictions to users who do not need administrative
functionality.  In this case, we restrict everyone who is not a member
of the *Server Admins* group in the PYROCUFFLINK AD domain.
---
 group_vars/pyrocufflink/main.yml                    |  2 ++
 roles/fileserver/defaults/main.yml                  |  2 ++
 roles/fileserver/handlers/main.yml                  |  5 +++++
 roles/fileserver/tasks/main.yml                     | 13 +++++++++++++
 roles/fileserver/templates/sftp-only.sshd_config.j2 | 11 +++++++++++
 5 files changed, 33 insertions(+)
 create mode 100644 roles/fileserver/templates/sftp-only.sshd_config.j2

diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml
index 5587f6a..3a36093 100644
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -22,3 +22,5 @@ sudo_authorized_ssh_keys: |
 # Default flags include -n, which makes Ansible complain about a "missing
 # become password," even though it would never actually prompt for one.
 ansible_become_flags: -H
+
+fileserver_sftp_only_match: 'Group !server?admins,*'
diff --git a/roles/fileserver/defaults/main.yml b/roles/fileserver/defaults/main.yml
index 59f645b..261821d 100644
--- a/roles/fileserver/defaults/main.yml
+++ b/roles/fileserver/defaults/main.yml
@@ -1,2 +1,4 @@
 file_shares: []
 samba_use_smbd: true
+
+fileserver_sftp_only_match: 'User !root,*'
diff --git a/roles/fileserver/handlers/main.yml b/roles/fileserver/handlers/main.yml
index adf5c93..d1e84f0 100644
--- a/roles/fileserver/handlers/main.yml
+++ b/roles/fileserver/handlers/main.yml
@@ -1,2 +1,7 @@
 - name: save firewalld configuration
   command: firewall-cmd --runtime-to-permanent
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/fileserver/tasks/main.yml b/roles/fileserver/tasks/main.yml
index 05a16b4..53120eb 100644
--- a/roles/fileserver/tasks/main.yml
+++ b/roles/fileserver/tasks/main.yml
@@ -44,3 +44,16 @@
     name=samba_enable_home_dirs
     persistent=yes
     state=yes
+
+- name: ensure ssh server is configured for sftp only
+  template:
+    src: sftp-only.sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/95-sftp-only.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config
+  - config
diff --git a/roles/fileserver/templates/sftp-only.sshd_config.j2 b/roles/fileserver/templates/sftp-only.sshd_config.j2
new file mode 100644
index 0000000..ad92c7d
--- /dev/null
+++ b/roles/fileserver/templates/sftp-only.sshd_config.j2
@@ -0,0 +1,11 @@
+Match {{ fileserver_sftp_only_match }}
+    AllowAgentForwarding no
+    AllowStreamLocalForwarding no
+    AllowTcpForwarding no
+    DisableForwarding yes
+    ForceCommand internal-sftp
+    PermitListen none
+    PermitOpen none
+    PermitTTY no
+    PermitTunnel no
+    PermitUserRC no