cloud-init team mailing list archive

Thread
Date

disabling root

To: cloud-init <cloud-init@xxxxxxxxxxxxxxxxxxx>
From: Robert Schweikert <rjschwei@xxxxxxxx>
Date: Tue, 18 Jun 2019 21:24:02 -0400
Autocrypt: addr=rjschwei@xxxxxxxx; prefer-encrypt=mutual; keydata= mQENBFNXkrABCADLEZufvUtnTs8CvygaUT8U9CMseEilU6MZoTgOQrYANuWNVWT91WweQuiQ psDJWnTZuTD9IRxuNeO4VRbbb0VaVef5IEPWoSrZnGqYuA5NqA9Bo4xwsmm089DEDWZa6+Em hrvaSUcYOnwc7VOKpGrl3ksYG0PWe7fUOHa1WaLVnqWMGGcaa/ljw55sXLh7SrueuD32ZJEl 4uWrPpujs7hjzd0DhdkdPtzFyi43XAC6SS6ksRd7KyGkKJErSwgPuL9oOjfIippstqz7WNJg 7cJQ6qA9NHrc9PcqODLzOXAF3VPRgdO9U2IhE2a3cz9UEucfv3jpMSn33f1M1wSDEsFnABEB AAG0J1JvYmVydCBKIFNjaHdlaWtlcnQgPHJqc2Nod2VpQHN1c2UuY29tPokBOQQTAQIAIwUC U1eTNAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEE4FgL32d2UkHZgH/jn+HNIH nXLr/pHRkUQWCZtGbYoDXlk8QomAZiGUj/+2xSbxag45gyaTtEN5eh39jRvBH1RX5B+wJarC LSo/gutl2XGf4ULyldTjX6RMgi9EVgW9+byQuQmDnBSbnpp0QTyV4wxQpkpJ709O+GjRKV7q ktlGhiyYKamOO3v/zIADQcco4gNCel6I/RZWfZJ5BfjwrBZZ+cgdIG2AHCitnhtkJIQ4KP3P +Z6va8xC1M+EiEooZu5aDKUTUu99yvmKr9F2nZigpVZRb/SqXiiZp1s3O1wYtqDzvE5ti4XY 27mLiOTBsNEvDB20RERqEidoHT+WkS8hevKvSGdkmNTgqGO5AQ0EU1eSsAEIAM+5gLM95G0L IyoY01tRdnXAUCeEOzRTHhtPA5eXIvNU9npza2MNxYJI1XJhlUah3RRbqJluoNniA4bZNlcC OQU0Y0WvrYsqYnWGpqp61dDogwZexwGSBXn+4z5QoU6Wfc8XcewcZFLBVcJw0gceu0lbnYJU LfrPEWzLckRXx9ngnTg/GQTtpqDA8Xd+0CIpZEEFXskCE1kKZBRqJ1W+Re5HUelLfpWLsQn5 DuHjLnjCHXFut2RW2pbTqHEK2yAPMMbKm6wJKq7pIMKZ73YcX9205bIRbhYQGyQ1oEVHt5Yx cBdvlkMNWVUsoEvcYpXK4vGBNU1kGneeaSB+MntsFI0AEQEAAYkBHwQYAQIACQUCU1eSsAIb DAAKCRBOBYC99ndlJN7/B/9pg6rRiZWPmm6l1BTbAnHj41GqMFSAMil371rOnG6hNLGZISUe KfnZdzbUAEDlIRUGAE/A30J2gcOP9Y6zKYffWYK4LlFknFZqDJRsjFkzDjsreQJ1jyvkm33O Dmx3QriBq8uFGWP57m34bs88f1Q3V04wNNLPVYoQjlyqU8ggKwUA3TyojmtUV+c0EUe1pzMd SwO7OhIVmE44WI95qTIA4GsnijWhqVUQXbLlMIFUndLGZ2SQNaeNhi5yeMWPveMFcg26MBwQ hHurJAcOfpOzW8bl7u+zQRlftAqhQ4o4n07dz2lPW+nPXdV68SWIbDsUCRWbInersTFXqUjp 4QxK
Openpgp: preference=signencrypt
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

Hi,

Had a comment on the behavior with disabling root/setting up ssh login.

The configuration contains:
ssh_pwauth: False
lock-passwd: True
disable_root: True

And the expectation is that

ChallengeResponseAuthentication no
PermitRootLogin no

would be set, which is currently not the case. The user is getting the
desired behavior with:

runcmd:
 # Disable root and password SSH login
 - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/'
/etc/ssh/sshd_config
 - sed -i -e
'/^#ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication
no/' /etc/ssh/sshd_config
 - sed -i -e '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication
no/' /etc/ssh/sshd_config
 - systemctl restart sshd

Is this a behior change we might want to make in cloud-init?

Thanks,
Robert

-- 
Robert Schweikert                   MAY THE SOURCE BE WITH YOU
Distinguished Architect                       LINUX
Technical Team Lead Public Cloud
rjschwei@xxxxxxxx
IRC: robjo

Follow ups

Re: disabling root
From: Ryan Harper, 2019-06-19