diff options
| -rw-r--r-- | src/package.lisp | 3 | ||||
| -rw-r--r-- | src/property/sshd.lisp | 13 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/package.lisp b/src/package.lisp index 986a311..c65421a 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -312,7 +312,8 @@ (#:file #:consfigurator.property.file) (#:apt #:consfigurator.property.apt)) (:export #:installed - #:configured)) + #:configured + #:no-passwords)) (defpackage :consfigurator.connection.shell-wrap (:use #:cl #:consfigurator) diff --git a/src/property/sshd.lisp b/src/property/sshd.lisp index 5a3be00..6e751d6 100644 --- a/src/property/sshd.lisp +++ b/src/property/sshd.lisp @@ -29,3 +29,16 @@ (:desc (format nil "sshd configured ~{~A ~A~^, ~}" pairs)) (:apply (apply #'file:contains-conf-space "/etc/ssh/sshd_config" pairs))) + +(defprop no-passwords :posix () + "Configure SSH to disallow password logins. +To prevent lockouts, also enables logging in as root with an SSH key, and +refuses to proceed if root has no authorized_keys." + (:desc "SSH passwords disabled") + (:apply + (assert-euid-root) + (unless (and (remote-exists-p ".ssh/authorized_keys") + (plusp (length (readfile ".ssh/authorized_keys")))) + (failed-change "root has no authorized_keys")) + (configured "PermitRootLogin" "without-password" + "PasswordAuthentication" "no"))) |