Allow to override settings for sftponly users

[mib1185]

This will allow to enable password-based login for sftp, while it is still disabled for ssh connections.
To prevent a breaking change, this new option sftp_password_login inherits from ssh_server_password_login

[schurzi]

Your proposal seems reasonable, but we really want to avoid introducing more variables for our roles.

I have spent some time thinking about this and I think you can use existing variables to achieve the same result. We offer a way to add more custom group matches to sshd config via ssh_server_match_group. All these matches are placed after our main config and can be used to override previous config. so if you add these variables you should be able to get this working without changing the role.

Can you try adding these variables?

    ssh_server_match_group:
      - group: sftponly
        rules:
          - PasswordAuthentication yes

[mib1185]

Hi @schurzi
sorry for late reply. thanks for this suggestion, we will check if it fits for our needs. Since we're in progress of re-thinking of the concept, which is affected by this settings, i'm going to close this PR for now.

[mib1185]

Hi @schurzi
sorry for the very long delay, but I just come back to this topic now. I've checked your suggesiton with an additional match group section, but unfortunately when a rule is matched multiple times, then only the first is applied, so it is not possible to override with a subsequent match block. I can also confirm this, since I was trying to add such override the last 5 hours with no success 🙈

source: https://man7.org/linux/man-pages/man5/sshd_config.5.html

   Match   Introduces a conditional block.  If all of the criteria on
           the Match line are satisfied, the keywords on the
           following lines override those set in the global section
           of the config file, until either another Match line or the
           end of the file.  If a keyword appears in multiple Match
           blocks that are satisfied, only the first instance of the
           keyword is applied.

[mib1185]

An alternative solution should be, to move the current defined Match Group sftponly to the very end of the config, so one could add an own Match Group sftponly block with just the rules which should be overwritten. But this might cause to shadow the intended Match Group sftponly block by earlier rule matches 🤔

[schurzi]

I can also confirm this, since I was trying to add such override the last 5 hours with no success 🙈

Damn usually the config works as last matching entry wins. I had not considered that this is reverse for Match rules.

Your proposal to put the default at the end would work with my initial suggestion and also avoid additional variables. I like that. Do you want to update this MR?

[mib1185]

I've rewokrd the PR as discussed. It is also tested and works as expected 👍

[schurzi]

awesome, thank you @mib1185!

[mib1185]

Is there already a schedule for the next release of the collection?

[schurzi]

Is there already a schedule for the next release of the collection?

now :)