From 01b80255212592fbe09cbd5433fbc7a77242817f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <clement@notin.org>
Date: Wed, 22 Apr 2020 16:50:04 +0200
Subject: [PATCH] sshd_config: PermitTunnel no

Restricted SFTP users don't have to create tunnels
---
 tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index 4d5d8dd..d77bb5e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -46,6 +46,7 @@
       Match Group {{ sftp_group_name }}
           ChrootDirectory %h
           AllowTCPForwarding no
+          PermitTunnel no
           X11Forwarding no
           ForceCommand internal-sftp {{ sftp_enable_logging | ternary('-l VERBOSE', '') }} {{ (sftp_start_directory in sftp_directories) | ternary('-d /' + sftp_start_directory, '') }}
           PasswordAuthentication {{ sftp_allow_passwords | ternary('yes', 'no') }}