Update ssh config to handle scp users

Signed-off-by: Geoff Franks <Geoff.Franks@allstate.com>
compozed · Jul 24, 2018 · c2dd3a6 · c2dd3a6
1 parent 42114c6
commit c2dd3a6
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/jobs/jumpbox/templates/bin/pre-start b/jobs/jumpbox/templates/bin/pre-start
@@ -3,8 +3,17 @@
 set -e
 
 # force ssh logins into the docker container unless the user is jumpbox or is coming from a bosh ssh session
-if ! grep -e 'ForceCommand' /etc/ssh/sshd_config -q; then
-    echo "Match User *,!jumpbox,!bosh_*" >> /etc/ssh/sshd_config
+if ! grep -e 'ForceCommand /var/vcap/jobs/jumpbox/bin/jumpbox' /etc/ssh/sshd_config -q; then
+    echo "Match User *,!jumpbox,!bosh_*,!*-scp" >> /etc/ssh/sshd_config
     echo "  ForceCommand /var/vcap/jobs/jumpbox/bin/jumpbox" >> /etc/ssh/sshd_config
     service ssh restart
 fi
+
+# force sftp logins for all *-scp users
+if ! grep -e 'ForceCommand internal-sftp' /etc/ssh/sshd_config -q; then
+    echo "Match User *-scp" >> /etc/ssh/sshd_config
+    echo "  X11Forwarding no" >> /etc/ssh/sshd_config
+    echo "  AllowTcpForwarding no" >> /etc/ssh/sshd_config
+    echo "  ForceCommand internal-sftp" >> /etc/ssh/sshd_config
+    service ssh restart
+fi