From 2797bf6f6190e2937c43c238f98dc51348054c90 Mon Sep 17 00:00:00 2001
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Thu, 1 Apr 2021 23:28:35 -0700
Subject: add SSHD:NO-PASSWORDS

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
---
 src/package.lisp       |  3 ++-
 src/property/sshd.lisp | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/package.lisp b/src/package.lisp
index 986a311..c65421a 100644
--- a/src/package.lisp
+++ b/src/package.lisp
@@ -312,7 +312,8 @@
                     (#:file      #:consfigurator.property.file)
                     (#:apt       #:consfigurator.property.apt))
   (:export #:installed
-           #:configured))
+           #:configured
+           #:no-passwords))
 
 (defpackage :consfigurator.connection.shell-wrap
   (:use #:cl #:consfigurator)
diff --git a/src/property/sshd.lisp b/src/property/sshd.lisp
index 5a3be00..6e751d6 100644
--- a/src/property/sshd.lisp
+++ b/src/property/sshd.lisp
@@ -29,3 +29,16 @@
   (:desc (format nil "sshd configured ~{~A ~A~^, ~}" pairs))
   (:apply
    (apply #'file:contains-conf-space "/etc/ssh/sshd_config" pairs)))
+
+(defprop no-passwords :posix ()
+  "Configure SSH to disallow password logins.
+To prevent lockouts, also enables logging in as root with an SSH key, and
+refuses to proceed if root has no authorized_keys."
+  (:desc "SSH passwords disabled")
+  (:apply
+   (assert-euid-root)
+   (unless (and (remote-exists-p ".ssh/authorized_keys")
+                (plusp (length (readfile ".ssh/authorized_keys"))))
+     (failed-change "root has no authorized_keys"))
+   (configured "PermitRootLogin" "without-password"
+               "PasswordAuthentication" "no")))
-- 
cgit v1.2.3