Change default for sshd to only all keybased auth

Set PermitRootLogin to prohibit-password instead of yes. Change-Id: Ifde08c43c29a6c437d622399ea48be96c0ac3432
2018-01-29 16:26:32 -05:00 · 2018-01-29 16:26:32 -05:00 · 3f2f82a5b1
commit 3f2f82a5b1
parent 5085d45d7b
2 changed files with 8 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -95,7 +95,7 @@ lxc_pip_packages:
  - lxc-python2

 lxc_cache_sshd_configuration:
-    - { regexp: "^PermitRootLogin",         line: "PermitRootLogin yes" }
+    - { regexp: "^PermitRootLogin",         line: "PermitRootLogin prohibit-password" }
    - { regexp: "^TCPKeepAlive",            line: "TCPKeepAlive yes" }
    - { regexp: "^UseDNS",                  line: "UseDNS no" }
    - { regexp: "^X11Forwarding",           line: "X11Forwarding no" }
--- a/releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml
+++ b/releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - The PermitRootLogin in sshd_config changed from 'yes'
+    to 'prohibit-password' in the containers. By default
+    there is no password set in the containers but the ssh
+    pub key from the deployment host is injected in the
+    targets nodes authorized_keys.