From 6799a8ce2544d771601b8f562abbf94044a9eeae Mon Sep 17 00:00:00 2001
From: Raoul <raoul@ccczh.ch>
Date: Sun, 26 Aug 2018 17:25:12 +0200
Subject: [PATCH] Optionally disable Allow[Users,Groups] options

---
 defaults/main.yml     | 3 +++
 readme.md             | 2 ++
 templates/sshd_config | 2 ++
 3 files changed, 7 insertions(+)
 create mode 100644 defaults/main.yml

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..5c7f89b
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Enable AllowUsers and AllowGroups options
+restrict_allow_users: True
diff --git a/readme.md b/readme.md
index ce7fc47..bafeabe 100644
--- a/readme.md
+++ b/readme.md
@@ -7,6 +7,8 @@ Ansible role to configure the OpenSSH `ssh` server.
 Variables
 ---------
 
+* `restrict_allow_users`: enable the `AllowUsers` and `AllowGroups` options.
+
 
 Files
 -----
diff --git a/templates/sshd_config b/templates/sshd_config
index 7dac270..d8315f2 100644
--- a/templates/sshd_config
+++ b/templates/sshd_config
@@ -32,8 +32,10 @@ UsePAM yes
 
 
 # User Authentication
+{% if restrict_allow_users|default(True) %}
 AllowUsers {{ sshd_allow_users|join(' ') }}
 AllowGroups {{ sshd_allow_groups|join(' ') }}
+{% endif %}
 PermitRootLogin without-password
 
 LoginGraceTime 120