Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing

roles/SSH/files/ssh_config

@@ -19,7 +19,7 @@
 
 # Host *
 #   ForwardAgent no
-ForwardX11 yes 
+ForwardX11 yes
 ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
@@ -46,5 +46,5 @@ ForwardX11Trusted yes
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
-UseRoaming no 
+UseRoaming no
 # fix for CVE-2016-0777

roles/SSH/files/sshd_config

@@ -1,6 +1,6 @@
-### AniNIX::SSH \\ Basic configuration for listening daemon ###
+### AniNIX/SSH | Basic configuration for listening daemon ###
 
-# Daemon spec #
+# Daemon spec
 Port 22
 ListenAddress 0.0.0.0
 PrintMotd yes
@@ -8,17 +8,18 @@ PrintLastLog yes
 StrictModes yes
 Protocol 2
 ChrootDirectory none
+
 # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
 # RSA and ED25519 are stable.
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Network Performance #
+# Network Performance
 Compression yes
 ClientAliveInterval 5
 ClientAliveCountMax 3
 
-# Forwarding options # 
+# Forwarding options
 AllowTcpForwarding no
 PermitTunnel no
 AllowAgentForwarding no
@@ -27,10 +28,10 @@ X11DisplayOffset 10
 X11UseLocalhost no
 GatewayPorts no
 
-# Override default of no subsystems to allow SFTP #
-Subsystem	sftp	/usr/lib/ssh/sftp-server
+# Override default of no subsystems to allow SFTP
+Subsystem	sftp	internal-sftp
 
-# Authentication #
+# Authentication
 PubkeyAuthentication yes
 AuthorizedKeysFile	.ssh/authorized_keys
 PasswordAuthentication yes
@@ -44,16 +45,16 @@ AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no
 
-## Access Controls ###
+## Access Controls
 Match Group ssh-forward
     AllowTcpForwarding yes
     PermitTunnel yes
     AllowAgentForwarding yes
     X11Forwarding yes
-      
-Match Group sftp-home-jail
-    ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
-    ChrootDirectory /home # Lock the user in their home directory
 
-Match User crypto
-    ForceCommand /usr/local/bin/captivecrypto
+Match Group sftp-home-jail
+    ForceCommand internal-sftp
+    ChrootDirectory /home
+
+# Allow other packages to ship snippets
+Include /etc/ssh/includes/*

roles/SSH/tasks/main.yml

@@ -64,6 +64,15 @@
        src: sshd_config
        dest: /etc/ssh/sshd_config
 
+ - name: Allow SSHD Includes
+   become: yes
+   file:
+     path: /etc/ssh/includes
+     state: directory
+     user: root
+     group: root
+     mode: 0755
+
  - name: Restart SSHD (ArchLinux)
    become: yes
    when: ansible_os_family == "Archlinux" and sshd_config.changed