move Match Group sftponly block to the end

mib1185 · mib1185 · commit 4ae5acf05033 · 2025-02-25T15:29:00.000Z
Signed-off-by: Michael &lt;35783820+mib1185@users.noreply.github.com&gt;
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -89,11 +89,6 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Specifies the umask for sftp.
   - Type: str
   - Required: no
-- `sftp_password_login`
-  - Default: inherite from `ssh_server_password_login`
-  - Description: Set to `true` to allow password-based authentication to the sftp server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `sftp_password_login`: `true`.
-  - Type: bool
-  - Required: no
 - `ssh_allow_agent_forwarding`
   - Default: `False`
   - Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding.
diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
@@ -180,9 +180,6 @@ sftp_umask: "0027"
 # change default sftp chroot location
 sftp_chroot_dir: /home/%u
 
-# If true, password login for sftp is allowed
-sftp_password_login: "{{ ssh_server_password_login }}"
-
 # enable experimental client roaming
 ssh_client_roaming: false
 
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -274,18 +274,6 @@ RevokedKeys /etc/ssh/revoked_keys
 # Subsystem sftp /opt/app/openssh5/libexec/sftp-server
 
 Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
-
-# These lines must appear at the *end* of sshd_config
-Match Group sftponly
-    ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
-{% if sftp_chroot %}
-    ChrootDirectory {{ sftp_chroot_dir }}
-{% endif %}
-    AllowTcpForwarding no
-    AllowAgentForwarding no
-    PasswordAuthentication {{ 'yes' if (sftp_password_login|bool) else 'no' }}
-    PermitRootLogin no
-    X11Forwarding no
 {% endif %}
 {% if ssh_server_match_address %}
 
@@ -335,3 +323,17 @@ Match LocalPort {{ item.port }}
   {% endfor %}
 {% endfor %}
 {% endif %}
+
+{% if sftp_enabled %}
+# These lines must appear at the *end* of sshd_config
+Match Group sftponly
+    ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
+{% if sftp_chroot %}
+    ChrootDirectory {{ sftp_chroot_dir }}
+{% endif %}
+    AllowTcpForwarding no
+    AllowAgentForwarding no
+    PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
+    PermitRootLogin no
+    X11Forwarding no
+{% endif %}
