-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document SSH key and password authentication #80
Conversation
This looks great! Any chance you could throw in an example of how to create a hashed password and an FCC that uses it? I know when I come to look at this documentation those two pieces of info (along with the SSH password auth enablement bit) are going to be exactly what I'm looking for to try to reproduce a problem and having them together is going to make my life way easier. |
inline: | | ||
# Fedora CoreOS disables SSH password login by default. | ||
# Enable it. | ||
# This file must sort before 04-disable-passwords.conf. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if since SSHD uses a "first one wins" strategy for config merging we should make the files we write easier to override by putting them at a higher number. i.e., 80-disable-passwords.conf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can't. The Fedora package ships an 05-redhat.conf
that includes PasswordAuthentication yes
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh - grr. I guess my same question would apply to the rpm maintainers. Started a discussion there: https://src.fedoraproject.org/rpms/openssh/pull-request/9
Updated! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really great @bgilbert. Thanks for incorporating the suggestion to include an fcct snippet and also instructions on how to properly generate a hashed password. It makes this documentation so much better!
This is ready for merge, but I'm converting to draft so no one merges yet as recommended in #80 (comment) |
Should we link to this new documentation from the "By default, FCOS does not allow password logins via SSH. We recommend configuring SSH keys instead." in https://docs.fedoraproject.org/en-US/fedora-coreos/migrate-cl/#_configuration_changes ? |
Done! |
Hold for sshd packaging changes. |
Added a separate commit to renumber the |
IIUC if someone implements |
OK, moved that part to #85. |
Hold until Fedora 32 reaches FCOS stable.
Fixes coreos/fedora-coreos-tracker#138.