ssh config: indent, misc readabilty improvements

2024-09-03 20:06:10 +02:00 · 2021-03-25 16:19:40 +01:00 · 2021-03-25 16:19:40 +01:00 · b40f21458f
commit b40f21458f
parent f158a4da9e
1 changed files with 12 additions and 13 deletions
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@ -78,18 +78,17 @@ Subsystem sftp internal-sftp

 # Apply following instructions to user with sftp perm only
 Match Group sftp.main,!ssh.main
-ForceCommand internal-sftp
-# We currently are not able to restrict /home/USER
-# So we chroot only on /home
-# See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
-#ChrootDirectory /home/%u
-ChrootDirectory /home
-# Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
-AllowTcpForwarding no
-AllowStreamLocalForwarding no
-PermitTunnel no
-# Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
-PermitUserRC no
+    ForceCommand internal-sftp
+    # We can't restrict to /home/%u because the chroot base must be owned by root
+    # So we chroot only on /home
+    # See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
+    ChrootDirectory /home
+    # Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
+    AllowTcpForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
+    PermitUserRC no


 # root login is allowed on local networks