Simplifying group management

roles/SSH/files/sshd_config

@@ -41,21 +41,23 @@ ChallengeResponseAuthentication no
 HostbasedAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
-DenyGroups [^ssh-allow]
-AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no
 
-## Access Controls
-Match Group ssh-forward
+## By default, only ssh-allow or ldapusers are allowed to sftp
+AllowGroups ssh sftp ldapuser
+Match Group ldapuser,sftp
+    ForceCommand internal-sftp
+    ChrootDirectory /home
+
+## Special groups are allowed shell
+Match Group wheel,ssh-allow
     AllowTcpForwarding yes
     PermitTunnel yes
     AllowAgentForwarding yes
     X11Forwarding yes
-
-Match Group sftp-home-jail
-    ForceCommand internal-sftp
-    ChrootDirectory /home
+    ForceCommand none
+    ChrootDirectory none
 
 # Allow other packages to ship snippets
 Include /etc/ssh/includes/*