[PATCH] Creating sftp disable mechanism
Mike McGrath
mmcgrath at redhat.com
Fri May 15 16:07:12 UTC 2009
Also disabling sftp on fedorahosted boxes
---
manifests/servergroups/hosted.pp | 1 +
modules/ssh/manifests/init.pp | 6 ++++++
modules/ssh/templates/sshd_config.erb | 2 +-
3 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp
index 30142e2..24d3720 100644
--- a/manifests/servergroups/hosted.pp
+++ b/manifests/servergroups/hosted.pp
@@ -4,6 +4,7 @@ class hosted {
$restrictedApp = '/usr/bin/run-git'
$sshd_config_PasswordAuthentication = 'no'
$sshd_config_AllowTcpForwarding = 'no'
+ $sshd_config_sftp = '/bin/false'
include global
include hosted-server
include fas::fas
diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index 9c8b62d..4972851 100644
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -17,6 +17,12 @@ class ssh::sshd {
default => $sshd_config_StrictModes
}
+ $sshd_config_sftp = $sshd_config_sftp ? {
+ '' => "/usr/libexec/openssh/sftp-server",
+ default => $sshd_config_sftp
+ }
+
+
file { "/etc/ssh/sshd_config":
content => template("ssh/sshd_config.erb"),
mode => 0600,
diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index ea656ec..2e90a99 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -116,4 +116,4 @@ X11Forwarding yes
#Banner /some/path
# override default of no subsystems
-Subsystem sftp /usr/libexec/openssh/sftp-server
+Subsystem sftp <%= sshd_config_sftp %>
--
1.5.5.6
More information about the Fedora-infrastructure-list
mailing list