cloud-init team mailing list archive

[Ryan Harper <ryan.harper@xxxxxxxxxxxxx>]

On Tue, Jun 18, 2019 at 8:24 PM Robert Schweikert <rjschwei@xxxxxxxx> wrote:

> Hi,
>
> Had a comment on the behavior with disabling root/setting up ssh login.
>
> The configuration contains:
> ssh_pwauth: False
> lock-passwd: True
> disable_root: True
>
> And the expectation is that
>
> ChallengeResponseAuthentication no
> PermitRootLogin no
>
> would be set, which is currently not the case. The user is getting the
> desired behavior with:
>
> runcmd:
>  # Disable root and password SSH login
>  - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/'
> /etc/ssh/sshd_config
>  - sed -i -e
> '/^#ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication
> no/' /etc/ssh/sshd_config
>  - sed -i -e '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication
> no/' /etc/ssh/sshd_config
>  - systemctl restart sshd
>
> Is this a behior change we might want to make in cloud-init?
>

Those values are not current set so that ssh can respond with a helpful
method
which redirects the user to ssh in as a different user.

$ ssh root@10.5.0.26
Please login as the user "ubuntu" rather than the user "root".

versus:

% ssh root@10.5.0.27
Permission denied (publickey).

I think the current behavior is nicer.  Is there a strong requirement to
not provide the hint?

Ryan


> Thanks,
> Robert
>
> --
> Robert Schweikert                   MAY THE SOURCE BE WITH YOU
> Distinguished Architect                       LINUX
> Technical Team Lead Public Cloud
> rjschwei@xxxxxxxx
> IRC: robjo
>
> --
> Mailing list: https://launchpad.net/~cloud-init
> Post to     : cloud-init@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~cloud-init
> More help   : https://help.launchpad.net/ListHelp
>