From b40f21458f82c3c9fc3619ac9593f6cca7f6ba73 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 25 Mar 2021 16:19:40 +0100 Subject: [PATCH] ssh config: indent, misc readabilty improvements --- data/templates/ssh/sshd_config | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index bb6520e64..28e424aa8 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -78,18 +78,17 @@ Subsystem sftp internal-sftp # Apply following instructions to user with sftp perm only Match Group sftp.main,!ssh.main -ForceCommand internal-sftp -# We currently are not able to restrict /home/USER -# So we chroot only on /home -# See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component -#ChrootDirectory /home/%u -ChrootDirectory /home -# Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled) -AllowTcpForwarding no -AllowStreamLocalForwarding no -PermitTunnel no -# Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled -PermitUserRC no + ForceCommand internal-sftp + # We can't restrict to /home/%u because the chroot base must be owned by root + # So we chroot only on /home + # See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component + ChrootDirectory /home + # Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled) + AllowTcpForwarding no + AllowStreamLocalForwarding no + PermitTunnel no + # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled + PermitUserRC no # root login is allowed on local networks @@ -98,4 +97,4 @@ PermitUserRC no # If the server is a VPS, it's expected that the owner of the # server has access to a web console through which to log in. Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8 - PermitRootLogin yes + PermitRootLogin yes