From bf00eb188ff2e7c147f6288d0400bd8ae668ca87 Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Thu, 9 Jul 2020 02:12:20 -0700
Subject: [PATCH] jailsetup.sh: improve sshd_config for mob and git

Make use of the "Match" keyword so that password authentication
will only be accepted for the "mob" and "git" user and that
empty passwords are also only enabled for those users (which
are actually empty password users).

With this change in place, attempts to connect with an
unrecognized public key (for non-mob, non-git users) will
no longer incorrectly prompt for a password (which doesn't
exist).

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
---
 jailsetup.sh | 47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/jailsetup.sh b/jailsetup.sh
index 1a95629..481d584 100755
--- a/jailsetup.sh
+++ b/jailsetup.sh
@@ -488,35 +488,40 @@ fi
 mkdir -p var/run/sshd
 if ! [ -s etc/ssh/sshd_config ]; then
 	cat >etc/ssh/sshd_config <<EOT
-Protocol		2
-Port			$cfg_sshd_jail_port
-UsePAM			no
-X11Forwarding		no
-AllowAgentForwarding	no
-AllowTcpForwarding	no
-PermitTunnel		no
-IgnoreUserKnownHosts	yes
-PrintLastLog		no
-PrintMotd		no
-UseDNS			no
-PermitRootLogin		no
-UsePrivilegeSeparation	yes
-
-HostKey			/etc/ssh/ssh_host_rsa_key
+Protocol			2
+Port				$cfg_sshd_jail_port
+UsePAM				no
+X11Forwarding			no
+AllowAgentForwarding		no
+AllowTcpForwarding		no
+PermitTunnel			no
+IgnoreUserKnownHosts		yes
+PrintLastLog			no
+PrintMotd			no
+UseDNS				no
+PermitRootLogin			no
+UsePrivilegeSeparation		yes
+PubkeyAuthentication		yes
+ChallengeResponseAuthentication	no
+PasswordAuthentication		no
+PermitEmptyPasswords		no
+
+HostKey				/etc/ssh/ssh_host_rsa_key
 EOT
 if [ -z "$cfg_disable_dsa" ]; then
 	cat >>etc/ssh/sshd_config <<EOT
-HostKey			/etc/ssh/ssh_host_dsa_key
+#PubkeyAcceptedKeyTypes		+ssh-dss
+HostKey				/etc/ssh/ssh_host_dsa_key
 EOT
 fi
 	cat >>etc/ssh/sshd_config <<EOT
-AuthorizedKeysFile	/etc/sshkeys/%u
-StrictModes		no
+AuthorizedKeysFile		/etc/sshkeys/%u
+StrictModes			no
 
 # mob and git users:
-PermitEmptyPasswords	yes
-ChallengeResponseAuthentication no
-PasswordAuthentication	yes
+Match User mob,git
+PasswordAuthentication		yes
+PermitEmptyPasswords		yes
 EOT
 fi
 if ! [ -s etc/ssh/ssh_host_rsa_key ]; then
-- 
2.11.4.GIT