From 3a0a43877a5670b1f8c9b769c7e4b723af2406c9 Mon Sep 17 00:00:00 2001 From: Feilong Wang Date: Tue, 20 Aug 2019 10:50:24 +1200 Subject: [PATCH] [fedora-atomic][k8s]Disable ssh password authentication Regarding passwords, they could be guessed if there is no faild-to-ban-like solution. So it'd better to disable it for security reasons. Task: 36300 Story: 2006413 Change-Id: Ie7534c12612750d9aafd4feae5193b34997b22ff --- .../templates/kubernetes/fragments/start-container-agent.sh | 3 +++ .../notes/disable-ssh-password-authn-f2baf619710e52aa.yaml | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml diff --git a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh index 342fe96b59..4e43c7bd23 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh @@ -43,6 +43,9 @@ Host localhost EOF sed -i '/^PermitRootLogin/ s/ .*/ without-password/' /etc/ssh/sshd_config +# Security enhancement: Disable password authentication +sed -i '/^PasswordAuthentication yes/ s/ yes/ no/' /etc/ssh/sshd_config + systemctl restart sshd diff --git a/releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml b/releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml new file mode 100644 index 0000000000..438c3cff4b --- /dev/null +++ b/releasenotes/notes/disable-ssh-password-authn-f2baf619710e52aa.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Regarding passwords, they could be guessed if there is no + faild-to-ban-like solution. So it'd better to disable it for security + reasons. It's only effected for fedora atomic images.