From 46002ac0aa1f02fbb47f36835a7fd45fdb2a9d35 Mon Sep 17 00:00:00 2001 From: linaksa Date: Fri, 2 Oct 2015 17:37:52 -0700 Subject: [PATCH 1/2] Added attribute for PasswordAuthentication option in SSHD --- attributes/default.rb | 1 + templates/default/opensshd.conf.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/attributes/default.rb b/attributes/default.rb index 6e98dade..dbd4f915 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -66,6 +66,7 @@ default['ssh']['allow_groups'] = [] # sshd default['ssh']['print_motd'] = false # sshd default['ssh']['print_last_log'] = false # sshd +default['ssh']['password_authentication'] = 'yes' # set this to nil to let us use the default OpenSSH in case it's not set by the user default['ssh']['use_dns'] = nil # sshd # set this to nil to let us detect the attribute based on the node platform diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index 312050e4..b9199adb 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -104,7 +104,7 @@ HostbasedAuthentication no # Enable PAM to enforce system wide rules UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %> # Disable password-based authentication, it can allow for potentially easier brute-force attacks. -PasswordAuthentication no +PasswordAuthentication <%= @node['ssh']['password_authentication'] %> PermitEmptyPasswords no ChallengeResponseAuthentication no From 3f3cacbc57ecbef6b557ce2dfc76ca11ec64cf56 Mon Sep 17 00:00:00 2001 From: linaksa Date: Fri, 2 Oct 2015 17:51:52 -0700 Subject: [PATCH 2/2] Made template and attribute changes more consistent --- attributes/default.rb | 2 +- templates/default/opensshd.conf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index dbd4f915..75826f6a 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -66,7 +66,7 @@ default['ssh']['allow_groups'] = [] # sshd default['ssh']['print_motd'] = false # sshd default['ssh']['print_last_log'] = false # sshd -default['ssh']['password_authentication'] = 'yes' +default['ssh']['password_authentication'] = false # sshd # set this to nil to let us use the default OpenSSH in case it's not set by the user default['ssh']['use_dns'] = nil # sshd # set this to nil to let us detect the attribute based on the node platform diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index b9199adb..8194d139 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -104,7 +104,7 @@ HostbasedAuthentication no # Enable PAM to enforce system wide rules UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %> # Disable password-based authentication, it can allow for potentially easier brute-force attacks. -PasswordAuthentication <%= @node['ssh']['password_authentication'] %> +PasswordAuthentication <%= ((@node['ssh']['password_authentication']) ? "yes" : "no" ) %> PermitEmptyPasswords no ChallengeResponseAuthentication no