From 51478d14e2f04fe8de1332b8e4ece10bdcb26e28 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Fri, 7 May 2021 19:48:22 +0200
Subject: [PATCH] ssh_config: add conf block for sftp apps

---
 data/templates/ssh/sshd_config | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 443d2e514..1c2854f73 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -90,6 +90,14 @@ Match Group sftp.main,!ssh.main
     # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
     PermitUserRC no
 
+Match Group sftp.app,!ssh.app
+    ForceCommand internal-sftp
+    ChrootDirectory %h
+    AllowTcpForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    PermitUserRC no
+    PasswordAuthentication yes
 
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and