Merge "[fedora-atomic][k8s]Disable ssh password authentication"

2019-09-04 09:52:27 +00:00 · 2019-09-04 09:52:27 +00:00 · 5ad2003cf6
parent a143ffdef1 3a0a43877a
commit 5ad2003cf6
2 changed files with 9 additions and 0 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
@ -43,6 +43,9 @@ Host localhost
 EOF

 sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config
+# Security enhancement: Disable password authentication
+sed -i '/^PasswordAuthentication yes/ s/ yes/ no/' /etc/ssh/sshd_config
+
 systemctl restart sshd


--- a/releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml
+++ b/releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Regarding passwords, they could be guessed if there is no
+    faild-to-ban-like solution. So it'd better to disable it for security
+    reasons. It's only effected for fedora atomic images.