SFTP not configurable

[jmara]

Hi there,

is it worth creating a PR to enable/adjust the SFTP settings?

Cheers,
Jan

[atomic111]

Hi Jan,
thanks for bringing this up. Yes please create a PR to enable and configure the sftp for this. Some ideas about the configuration of sftp. I would configure sftp in such a way. What do you think?

Subsystem sftp internal-sftp -l VERBOSE
Match Group sftponly
        ForceCommand internal-sftp -l VERBOSE
        ChrootDirectory /share/%u
        AllowTcpForwarding no
        AllowAgentForwarding no
        PasswordAuthentication no
        PermitRootLogin no
        X11Forwarding no

So that we can configure the matching group, the ChrootDirectory, AllowAgentForwarding and so on.

[jmara]

Hi Patrick,

I've checked the puppet and ansible ssh-hardening and it looks like only Ansible takes care of the STFP stuff and adds capabilities to Enable and change ChrootDirectory for sftp.

I think the configuration should aswell include Group like you suggested, but I'm currently unsure if its a good security practice to allow the change of the other options like AllowAgentForwarding, PermitRootLogin.
As this cookbook focus on hardening the sshd I would suggest that I add the first three options: Enable, Group, ChrootDirectory and if necessary extend this functions in the next versions.

What do you think?

Cheers,
Jan

[atomic111]

Hi Jan,
i total agree with you. May be i have expressed myself wrong. Recently i had a customer request to allow forwarding and so on for the other users and not allowing this for the sftponly group.

So just create your pull request. thanks