From 8398aec0293f68c59058edd897820062a2acba24 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Jun 29 2022 21:17:13 +0000
Subject: basessh: enable internal sftp server globally.


In the past we only enabled sftp on servers where we needed it.
(ones using sshfs, ones that users might need to sftp to, etc).
However, now days the openssh scp client uses sftp, so we might as well
just enable it globally so people don't need to use 'scp -O' (which
has it use the old scp protocol, which will be removed someday).

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 4348cc7..9c4f3f7 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -233,10 +233,6 @@ ssh_hostnames: []
 sshd_keyhelper: false
 # Normal default sshd port is 22
 sshd_port: 22
-#
-# sshd can run a internal sftp server, we need this on some hosts, but
-# not on most of them, so default to false
-sshd_sftp: false
 tcp_ports: []
 # example of ports for default iptables
 # tcp_ports: [ 22, 80, 443 ]
diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave
index d05a84c..9f38aca 100644
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@@ -71,6 +71,5 @@ nrpe_procs_crit: 1000
 nrpe_procs_warn: 900
 num_cpus: 10
 primary_auth_source: ipa
-sshd_sftp: true
 tcp_ports: [80, 443, 8442, 8443]
 vpn: true
diff --git a/inventory/group_vars/people b/inventory/group_vars/people
index b66614c..15ba321 100644
--- a/inventory/group_vars/people
+++ b/inventory/group_vars/people
@@ -41,6 +41,4 @@ ipa_client_sudo_groups:
 ipa_host_group: people
 ipa_host_group_desc: A place for people to host things
 primary_auth_source: ipa
-# enable sftp for cotributors.
-sshd_sftp: true
 vpn: true
diff --git a/inventory/group_vars/secondary b/inventory/group_vars/secondary
index daf2462..ec8bd98 100644
--- a/inventory/group_vars/secondary
+++ b/inventory/group_vars/secondary
@@ -22,5 +22,4 @@ nrpe_procs_crit: 1000
 nrpe_procs_warn: 900
 primary_auth_source: ipa
 rsyncd_conf: "rsyncd.conf.download-{{ datacenter }}"
-sshd_sftp: true
 tcp_ports: [80, 443, 873]
diff --git a/inventory/host_vars/koji01.iad2.fedoraproject.org b/inventory/host_vars/koji01.iad2.fedoraproject.org
index 7b6b595..f7c24d1 100644
--- a/inventory/host_vars/koji01.iad2.fedoraproject.org
+++ b/inventory/host_vars/koji01.iad2.fedoraproject.org
@@ -10,8 +10,6 @@ ks_repo: http://10.3.163.35/pub/fedora/linux/releases/35/Server/x86_64/os/
 ks_url: http://10.3.163.35/repo/rhel/ks/kvm-fedora
 nrpe_procs_crit: 1000
 nrpe_procs_warn: 900
-# we need sftp here in order to support the sshfs mount on buildvm-s390x-01
-sshd_sftp: true
 virt_install_command: "{{ virt_install_command_one_nic }}"
 vmhost: bvmhost-x86-02.iad2.fedoraproject.org
 volgroup: /dev/vg_guests
diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
index b54428d..bd6f809 100644
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@@ -62,8 +62,4 @@ AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
 AuthorizedKeysCommandUser nobody
 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
 {% endif %}
-
-
-{% if sshd_sftp %}
 Subsystem sftp internal-sftp
-{% endif %}