diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-04-01 23:28:35 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-04-01 23:28:35 -0700 |
commit | 2797bf6f6190e2937c43c238f98dc51348054c90 (patch) | |
tree | f0325861444239e2c72a7df19aa5101944b2d51d | |
parent | 9afcae19b3fc5bfc36a38b158c445a2ba08b6033 (diff) | |
download | consfigurator-2797bf6f6190e2937c43c238f98dc51348054c90.tar.gz |
add SSHD:NO-PASSWORDS
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
-rw-r--r-- | src/package.lisp | 3 | ||||
-rw-r--r-- | src/property/sshd.lisp | 13 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/package.lisp b/src/package.lisp index 986a311..c65421a 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -312,7 +312,8 @@ (#:file #:consfigurator.property.file) (#:apt #:consfigurator.property.apt)) (:export #:installed - #:configured)) + #:configured + #:no-passwords)) (defpackage :consfigurator.connection.shell-wrap (:use #:cl #:consfigurator) diff --git a/src/property/sshd.lisp b/src/property/sshd.lisp index 5a3be00..6e751d6 100644 --- a/src/property/sshd.lisp +++ b/src/property/sshd.lisp @@ -29,3 +29,16 @@ (:desc (format nil "sshd configured ~{~A ~A~^, ~}" pairs)) (:apply (apply #'file:contains-conf-space "/etc/ssh/sshd_config" pairs))) + +(defprop no-passwords :posix () + "Configure SSH to disallow password logins. +To prevent lockouts, also enables logging in as root with an SSH key, and +refuses to proceed if root has no authorized_keys." + (:desc "SSH passwords disabled") + (:apply + (assert-euid-root) + (unless (and (remote-exists-p ".ssh/authorized_keys") + (plusp (length (readfile ".ssh/authorized_keys")))) + (failed-change "root has no authorized_keys")) + (configured "PermitRootLogin" "without-password" + "PasswordAuthentication" "no"))) |