Description
Is your feature request related to a problem? Please describe.
I am trying to reproduce an SFTP config with multiple groups with distinct configurations (chroot, AuthorizedKeysFile, etc.). We have a use case where we want org level users to have chroot set to the full ftp directory and "guest" users to use a sub-directory associated with their user. Right now the cookbook only supports a single SFTP group.
Describe the solution you'd like
Ideally, I'd a hash where each element would correspond to a group and have the related configurations beneath it. For backwards compatibility, it could be something like default['ssh-hardening']['ssh']['server']['sftp']['extra-groups'] which defaults to nil and is appended to the main group config. So, for example, the attributes would be:
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['chroot'] = '/home/%u'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['password_authentication'] = true
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['chroot'] = '/home'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['password_authentication'] = false
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['authorized_keys_file'] = '/path'
would create the config:
Match Group group1
ChrootDirectory /home/%u
ForceCommand internal-sftp
PasswordAuthentication yes
...
Match Group group2
ChrootDirectory /home
ForceCommand internal-sftp
PasswordAuthentication no
AuthorizedKeysFile /path
...
Describe alternatives you've considered
I've considered as a workaround disabling SFTP in the attributes and using the generic "extras" config to manually place all of the config necessary for SFTP. I've yet to test this, but it is not ideal because it creates additional burden to maintain and secure that config and could break with future versions of the cookbook.