Disable SSH password logins by default #96
Conversation
| @@ -78,6 +78,14 @@ postprocess: | |||
| set -xeuo pipefail | |||
| sed -i 's/^AuthorizedKeysFile[[:blank:]]/#&/' /etc/ssh/sshd_config | |||
| echo -e '\n# Read authorized_keys fragments written by Ignition and Afterburn\nAuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys.d/ignition .ssh/authorized_keys.d/afterburn' >> /etc/ssh/sshd_config | |||
| # Disable SSH password logins by default | |||
| # Move to overlay once sshd_config fragments are supported | |||
There was a problem hiding this comment.
Is this something that is coming to sshd?
Edit: I can't read backlog. https://bugzilla.mindrot.org/show_bug.cgi?id=2468#c8
There was a problem hiding this comment.
coreos/fedora-coreos-tracker#138 (comment) is also an option.
|
LGTM.. but this does make my head hurt when thinking about upgrading to f31 where the default config will change and also updating to sshd_config fragments when that is available. i.e. are our existing systems going to get the changes or are they going to keep this config as shipped? |
Hmm not sure I follow. It should be just like any other config changes, right? IOW, once fragments are supported, it should be safe to drop this snippet in favour of a fragment drop-in. The drop-in will be added on system updates, and unless users modified their |
|
Considering the cases:
So if we want to move our changes to a fragment, we should probably do it before the stable release. |
…eos#96) Otherwise, osmet won't kick in.
For coreos/fedora-coreos-tracker#138. We don't support
sshd_configfragments yet, so the only way to override this with Ignition is by writing aConditionFirstBoot=trueunitBefore=sshd.servicethat runssedoversshd_config. But it is possible to override it, so let's start testing with this configuration.