Commit df1bc449 authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Geni Racks change; disable password based login completely.

This turns out to be less obvious then first thought, since
with PAM built into sshd, also need to turn off the
ChallengeResponseAuthentication setting.
parent 7c505720
......@@ -44,16 +44,22 @@ sub Install($$$)
" StrictHostKeyChecking no",
" Protocol 2,1");
};
# GPO wants this turned off.
# GPO wants password authentication turned off.
if ($PROTOGENI_GENIRACK) {
Phase "sshdconfig", "Turning off password authentication", sub {
DoneIfEdited($SSHD_CONFIG);
ExecQuietFatal("sed -i.orig ".
" -e 's/PasswordAuth/#PasswordAuth/' ".
"$SSHD_CONFIG");
" -e 's/PermitRootLogin/#PermitRootLogin/' ".
" -e 's/ChallengeResponseAuthentication/".
"#ChallengeResponseAuthentication/' ".
"$SSHD_CONFIG");
AppendToFileFatal($SSHD_CONFIG, "PasswordAuthentication no");
AppendToFileFatal($SSHD_CONFIG,
"PasswordAuthentication no",
"ChallengeResponseAuthentication no",
"PermitRootLogin without-password");
# HUP the server so the changes take effect
if (-r "/var/run/sshd.pid") {
......
......@@ -30,8 +30,14 @@ sub Install($$$)
if ($PROTOGENI_GENIRACK) {
ExecQuietFatal("sed -i.orig ".
" -e 's/PasswordAuth/#PasswordAuth/' ".
" -e 's/PermitRootLogin/#PermitRootLogin/' ".
" -e 's/ChallengeResponseAuthentication/".
"#ChallengeResponseAuthentication/' ".
"$SSHD_CONFIG");
push(@strings, "PasswordAuthentication no");
push(@strings,
"PasswordAuthentication no",
"ChallengeResponseAuthentication no",
"PermitRootLogin without-password");
}
AppendToFileFatal($SSHD_CONFIG, @strings);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment