From 3f2f82a5b157feb7afcf525947eff4eb49c83be4 Mon Sep 17 00:00:00 2001 From: Marc Gariepy Date: Mon, 29 Jan 2018 16:26:32 -0500 Subject: [PATCH] Change default for sshd to only all keybased auth Set PermitRootLogin to prohibit-password instead of yes. Change-Id: Ifde08c43c29a6c437d622399ea48be96c0ac3432 --- defaults/main.yml | 2 +- .../notes/PermitRootLogin-chages-7ce97df6d612223e.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml diff --git a/defaults/main.yml b/defaults/main.yml index cfefb361..95b41aa6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -95,7 +95,7 @@ lxc_pip_packages: - lxc-python2 lxc_cache_sshd_configuration: - - { regexp: "^PermitRootLogin", line: "PermitRootLogin yes" } + - { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" } - { regexp: "^TCPKeepAlive", line: "TCPKeepAlive yes" } - { regexp: "^UseDNS", line: "UseDNS no" } - { regexp: "^X11Forwarding", line: "X11Forwarding no" } diff --git a/releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml b/releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml new file mode 100644 index 00000000..1f19b291 --- /dev/null +++ b/releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml @@ -0,0 +1,7 @@ +--- +security: + - The PermitRootLogin in sshd_config changed from 'yes' + to 'prohibit-password' in the containers. By default + there is no password set in the containers but the ssh + pub key from the deployment host is injected in the + targets nodes authorized_keys.