Add support for including per-user settings
OpenSSH from version 8.2/8.2p1 (2020-02-14) onwards has Include
support, specifically the following is at the top of the /etc/ssh/sshd_config
file and settings take their first value so any .conf
files in that directory will override the settings in the main sshd_config
file.
Include /etc/ssh/sshd_config.d/*.conf
It would be nice if this YAML:
ssh_users:
foo:
present: true
allow_tcp_forwarding: false
authentication_methods: publickey password
password_authentication: true
permit_tty: true
pubkey_authentication: true
force_command: internal-sftp
ssh_groups:
sudo:
present: true
allow_tcp_forwarding: true
authentication_methods: publickey
password_authentication: false
permit_tty: true
pubkey_authentication: true
Resulted in the following lines being added to the end of /etc/ssh/sshd_config
:
Include /etc/ssh/sshd_config.d/user/*.conf
Include /etc/ssh/sshd_config.d/group/*.conf
And the /etc/ssh/sshd_config.d/user/foo.conf
and /etc/ssh/sshd_config.d/group/sudo.conf
files being created containing:
Match group sudo
AllowTCPForwarding: yes
AuthenticationMethods: publickey
PasswordAuthentication: no
Match user foo
AllowTCPforwarding: no
AuthenticationMethods: publickey password
PasswordAuthentication: yes
PermitTTY: yes
PubkeyAuthentication: yes
ForceCommand: internal-sftp
See Match for all the allowed settings, only one template would be needed for both users and groups and potentially this could also be expanded for host and other things are are allowed in the future.
This would allow all the current specific Match
blocks to be removed from the sshd_config
template as the current results could be generated from variables in playbooks.