basessh: Only use useprivseperation on rhel7 and add sftp on koji01

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/all

@@ -307,3 +307,8 @@ copr_build_virthost: false
 # like the prerelease to final ones.
 #
 redirectmatch_enabled: True
+
+#
+# sshd can run a internal sftp server, we need this on some hosts, but 
+# not on most of them, so default to false
+sshd_sftp: false

inventory/host_vars/koji01.phx2.fedoraproject.org

@@ -24,3 +24,6 @@ fedmsg_koji_instance: primary
 koji_topurl: "https://kojipkgs.fedoraproject.org/"
 koji_server_url: "https://koji.fedoraproject.org/kojihub"
 koji_weburl: "https://koji.fedoraproject.org/koji"
+
+# we need sftp here in order to support the sshfs mount on buildvm-s390x-01
+sshd_sftp: true

roles/basessh/templates/sshd_config

@@ -33,7 +33,7 @@ PermitTunnel no
 
 {% if ansible_distribution_major_version == "6" %}
 UsePrivilegeSeparation yes
-{% else %}
+{% elif ansible_distribution_major_version == "7" %}
 UsePrivilegeSeparation sandbox
 {% endif %}
 
@@ -48,3 +48,6 @@ AcceptEnv XMODIFIERS
 AuthorizedKeysCommandUser git
 AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
 {% endif %}
+{% if sshd_sftp %}
+Subsystem sftp internal-sftp
+{% endif %}