# @package      hubzero-mw2-front-virtualssh
# @file         sshd_config_vssh
# @author       Pascal Meunier <pmeunier@purdue.edu>
# @copyright    Copyright (c) 2016-2017 HUBzero Foundation, LLC.
# @license      http://opensource.org/licenses/MIT MIT
#
# Copyright (c) 2016-2017 HUBzero Foundation, LLC.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# HUBzero is a registered trademark of HUBzero Foundation, LLC.
#

# The following is to be appended to /etc/ssh/sshd_config or on newer SSH versions, included

# X forwarding support
# xauth-incoming needs SSH_ORIGINAL_COMMAND to detect the "session" command
# and this is set only when a ForceCommand is executed
XAuthLocation /usr/bin/xauth-incoming

# Force middleware user to use /usr/lib/mw/bin/maxwell notify
# Debian
Match User www-data
        X11Forwarding no
        ForceCommand /usr/bin/maxwell notify
        Banner /etc/ssh/nobanner

# RedHat, CentOS
Match User apache
        X11Forwarding no
        ForceCommand /usr/bin/maxwell notify
        Banner /etc/ssh/nobanner

#
# Users limited to SFTP only
#
# Force everyone but members of groups root,mw-login or other privileged groups (e.g., wheel) to use SFTP.
# exclude the user running Apache ("apache" or "www-data" user) so ChrootDirectory doesn't get set.
# remove the one that doesn't apply to your platform...
Match Group *,!root,!mw-login,!wheel User *,!www-data,!apache
        ChrootDirectory /sftp
        X11Forwarding no
        ForceCommand internal-sftp

#
# Users limited to access tool session containers + chrooted SFTP
#
# Force mw-login group members to access only tool session containers (and SFTP)
# unless they are also members of a privileged group, e.g., wheel
# X11 forwarding is to tool session containers (see "xauth-incoming" script)
Match Group mw-login,!root,!wheel
        X11DisplayOffset 10
        ForceCommand /usr/bin/session
        Banner /etc/ssh/virtualssh_banner

