From b447e1ebfb516212045765249e61b8ad675da5ca Mon Sep 17 00:00:00 2001
From: "ljf (zamentur)" <zamentur@users.noreply.github.com>
Date: Fri, 11 Sep 2020 20:27:40 +0200
Subject: [PATCH] [fix] Reduce right given to ynh users with ssh (#1050)

* [fix] Avoid ynh user to be able to use X11 forwarding

* [fix] Avoid some bad situations

* [fix] Remove chroot restrictions and x11 authorization

* Update comments

Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org>
---
 data/templates/ssh/sshd_config | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 8dc0e8dfc..fed01e6fd 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -69,12 +69,19 @@ AcceptEnv LANG LC_*
 
 # SFTP stuff
 Subsystem sftp internal-sftp
-Match User sftpusers
-        ForceCommand internal-sftp
-        ChrootDirectory /home/%u
-        AllowTcpForwarding no
-        GatewayPorts no
-        X11Forwarding no
+
+# Forbid users from using their account SSH as a VPN (even if SSH login is disabled)
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+
+# Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
+PermitUserRC no
+
+Match User admin,root
+    AllowTcpForwarding yes
+    AllowStreamLocalForwarding yes
+    PermitUserRC yes
+
 
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and