forked from NethServer/nethserver-openssh
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow groups to connect to SSH & SFTP
- Loading branch information
Showing
2 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
49 changes: 49 additions & 0 deletions
49
root/etc/e-smith/templates/etc/ssh/sshd_config/45AllowGroups2Sshd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
{ | ||
# Allow groups to sftp/ssh with different policies | ||
# | ||
# if $sssd{ShellOverrideStatus} is disabled we are in legacy (everybody is allowed with a shell access) | ||
# if $sssd{ShellOverrideStatus} is enabled we allow to root and members of domain admins group | ||
# if $sssd{ShellOverrideStatus} is enabled with non empty $sshd{AllowGroups} | ||
# we allow root, members of domain admins group and members of groups inside the AllowGroups prop | ||
# | ||
# members restricted to sftp (SftpRestrictedGroups) must be allowed to sshd also | ||
|
||
sub uniq { | ||
my %seen; | ||
return grep { !$seen{$_}++ } @_; | ||
} | ||
|
||
# ssh doesn't accept to login if we restrict with short group name | ||
# It seems to want the long group name group@domain.com | ||
my $domain = $DomainName || die ('Cannot retrieve DomainName'); | ||
my $PermitRootLogin = $sshd{'PermitRootLogin'} || "no"; | ||
my $policy = $sssd{'ShellOverrideStatus'} || "disabled"; | ||
|
||
my @AllowGroups = (); | ||
foreach ( split(',',$sshd{'AllowGroups'} || '')) { | ||
my ($group, $sftp) = split(':', $_); | ||
|
||
if(!$group) { | ||
next; | ||
} | ||
$group .= "\@$domain" if ($group !~ '@'); | ||
# Spaces are not accepted | ||
$group = '"'.$group.'"' if ($group=~ m/ /g); | ||
push @AllowGroups, $group; | ||
} | ||
|
||
my $admin = $admins{'group'} || 'domain admins'; | ||
$admin .= "\@$domain" if ($admin !~ '@'); | ||
# Spaces are not accepted | ||
$admin = '"'.$admin.'"' if ($admin=~ m/ /g); | ||
|
||
if (($policy eq 'enabled') && (!@AllowGroups)) { | ||
my $root = ($PermitRootLogin eq "yes") ? "root" : ""; | ||
$OUT .= "AllowGroups $root $admin\n"; | ||
} | ||
elsif (($policy eq 'enabled') && (@AllowGroups)) { | ||
my $root = ($PermitRootLogin eq "yes") ? "root" : ""; | ||
my @allowedGroup = uniq(@AllowGroups); | ||
$OUT .= "AllowGroups $root $admin @allowedGroup\n"; | ||
} | ||
} |