Simplifying group management

roles/SSH/files/sshd_config

@@ -41,21 +41,23 @@ ChallengeResponseAuthentication no
 HostbasedAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
-DenyGroups [^ssh-allow]
-AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no
 
-## Access Controls
-Match Group ssh-forward
+## By default, only ssh-allow or ldapusers are allowed to sftp
+AllowGroups ssh sftp ldapuser
+Match Group ldapuser,sftp
+    ForceCommand internal-sftp
+    ChrootDirectory /home
+
+## Special groups are allowed shell
+Match Group wheel,ssh-allow
     AllowTcpForwarding yes
     PermitTunnel yes
     AllowAgentForwarding yes
     X11Forwarding yes
-
-Match Group sftp-home-jail
-    ForceCommand internal-sftp
-    ChrootDirectory /home
+    ForceCommand none
+    ChrootDirectory none
 
 # Allow other packages to ship snippets
 Include /etc/ssh/includes/*

roles/SSH/tasks/main.yml

@@ -34,15 +34,14 @@
        name: "{{ item }}"
        state: present
    loop:
-       - ssh-allow
-       - ssh-forward
-       - sftp-home-jail
+       - ssh
+       - sftp
 
- - name: Add SSH user to ssh-allow
+ - name: Add SSH user to ssh group
    become: yes
    user:
        name: "{{ ansible_user_id }}"
-       groups: ssh-allow
+       groups: ssh
        append: yes
 
  - name: Copy the SSH key
@@ -75,7 +74,7 @@
    file:
      path: /etc/ssh/includes
      state: directory
-     user: root
+     owner: root
      group: root
      mode: 0755