r/fileserver: Restrict non-administrators to SFTP

Normal users do not need shell access to the file server, and certainly should not be allowed to e.g. forward ports through it. Using a `Match` block, we can apply restrictions to users who do not need administrative functionality. In this case, we restrict everyone who is not a member of the *Server Admins* group in the PYROCUFFLINK AD domain.
2024-02-01 10:29:32 -06:00
parent b5c54d7bb3
commit 0d30e54fd5
5 changed files with 33 additions and 0 deletions
--- a/roles/fileserver/tasks/main.yml
+++ b/roles/fileserver/tasks/main.yml
@@ -44,3 +44,16 @@
    name=samba_enable_home_dirs
    persistent=yes
    state=yes
+
+- name: ensure ssh server is configured for sftp only
+  template:
+    src: sftp-only.sshd_config.j2
+    dest: /etc/ssh/sshd_config.d/95-sftp-only.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload sshd
+  tags:
+  - sshd-config
+  - config