r/fileserver: Restrict non-administrators to SFTP
Normal users do not need shell access to the file server, and certainly should not be allowed to e.g. forward ports through it. Using a `Match` block, we can apply restrictions to users who do not need administrative functionality. In this case, we restrict everyone who is not a member of the *Server Admins* group in the PYROCUFFLINK AD domain.
This commit is contained in:
11
roles/fileserver/templates/sftp-only.sshd_config.j2
Normal file
11
roles/fileserver/templates/sftp-only.sshd_config.j2
Normal file
@@ -0,0 +1,11 @@
|
||||
Match {{ fileserver_sftp_only_match }}
|
||||
AllowAgentForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AllowTcpForwarding no
|
||||
DisableForwarding yes
|
||||
ForceCommand internal-sftp
|
||||
PermitListen none
|
||||
PermitOpen none
|
||||
PermitTTY no
|
||||
PermitTunnel no
|
||||
PermitUserRC no
|
||||
Reference in New Issue
Block a user