cloud-init team mailing list archive
-
cloud-init team
-
Mailing list archive
-
Message #00215
Re: disabling root
-
To:
Ryan Harper <ryan.harper@xxxxxxxxxxxxx>
-
From:
Robert Schweikert <rjschwei@xxxxxxxx>
-
Date:
Tue, 18 Jun 2019 21:46:06 -0400
-
Autocrypt:
addr=rjschwei@xxxxxxxx; prefer-encrypt=mutual; keydata= mQENBFNXkrABCADLEZufvUtnTs8CvygaUT8U9CMseEilU6MZoTgOQrYANuWNVWT91WweQuiQ psDJWnTZuTD9IRxuNeO4VRbbb0VaVef5IEPWoSrZnGqYuA5NqA9Bo4xwsmm089DEDWZa6+Em hrvaSUcYOnwc7VOKpGrl3ksYG0PWe7fUOHa1WaLVnqWMGGcaa/ljw55sXLh7SrueuD32ZJEl 4uWrPpujs7hjzd0DhdkdPtzFyi43XAC6SS6ksRd7KyGkKJErSwgPuL9oOjfIippstqz7WNJg 7cJQ6qA9NHrc9PcqODLzOXAF3VPRgdO9U2IhE2a3cz9UEucfv3jpMSn33f1M1wSDEsFnABEB AAG0J1JvYmVydCBKIFNjaHdlaWtlcnQgPHJqc2Nod2VpQHN1c2UuY29tPokBOQQTAQIAIwUC U1eTNAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEE4FgL32d2UkHZgH/jn+HNIH nXLr/pHRkUQWCZtGbYoDXlk8QomAZiGUj/+2xSbxag45gyaTtEN5eh39jRvBH1RX5B+wJarC LSo/gutl2XGf4ULyldTjX6RMgi9EVgW9+byQuQmDnBSbnpp0QTyV4wxQpkpJ709O+GjRKV7q ktlGhiyYKamOO3v/zIADQcco4gNCel6I/RZWfZJ5BfjwrBZZ+cgdIG2AHCitnhtkJIQ4KP3P +Z6va8xC1M+EiEooZu5aDKUTUu99yvmKr9F2nZigpVZRb/SqXiiZp1s3O1wYtqDzvE5ti4XY 27mLiOTBsNEvDB20RERqEidoHT+WkS8hevKvSGdkmNTgqGO5AQ0EU1eSsAEIAM+5gLM95G0L IyoY01tRdnXAUCeEOzRTHhtPA5eXIvNU9npza2MNxYJI1XJhlUah3RRbqJluoNniA4bZNlcC OQU0Y0WvrYsqYnWGpqp61dDogwZexwGSBXn+4z5QoU6Wfc8XcewcZFLBVcJw0gceu0lbnYJU LfrPEWzLckRXx9ngnTg/GQTtpqDA8Xd+0CIpZEEFXskCE1kKZBRqJ1W+Re5HUelLfpWLsQn5 DuHjLnjCHXFut2RW2pbTqHEK2yAPMMbKm6wJKq7pIMKZ73YcX9205bIRbhYQGyQ1oEVHt5Yx cBdvlkMNWVUsoEvcYpXK4vGBNU1kGneeaSB+MntsFI0AEQEAAYkBHwQYAQIACQUCU1eSsAIb DAAKCRBOBYC99ndlJN7/B/9pg6rRiZWPmm6l1BTbAnHj41GqMFSAMil371rOnG6hNLGZISUe KfnZdzbUAEDlIRUGAE/A30J2gcOP9Y6zKYffWYK4LlFknFZqDJRsjFkzDjsreQJ1jyvkm33O Dmx3QriBq8uFGWP57m34bs88f1Q3V04wNNLPVYoQjlyqU8ggKwUA3TyojmtUV+c0EUe1pzMd SwO7OhIVmE44WI95qTIA4GsnijWhqVUQXbLlMIFUndLGZ2SQNaeNhi5yeMWPveMFcg26MBwQ hHurJAcOfpOzW8bl7u+zQRlftAqhQ4o4n07dz2lPW+nPXdV68SWIbDsUCRWbInersTFXqUjp 4QxK
-
Cc:
cloud-init <cloud-init@xxxxxxxxxxxxxxxxxxx>
-
In-reply-to:
<CAJAXbpdPxrF_4FKZdJZX3pjBqufn70Fv0XxR90Utyhih5zYZ1w@mail.gmail.com>
-
Openpgp:
preference=signencrypt
-
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
Hi,
On 6/18/19 9:33 PM, Ryan Harper wrote:
>
>
> On Tue, Jun 18, 2019 at 8:24 PM Robert Schweikert <rjschwei@xxxxxxxx
> <mailto:rjschwei@xxxxxxxx>> wrote:
>
> Hi,
>
> Had a comment on the behavior with disabling root/setting up ssh login.
>
> The configuration contains:
> ssh_pwauth: False
> lock-passwd: True
> disable_root: True
>
> And the expectation is that
>
> ChallengeResponseAuthentication no
> PermitRootLogin no
>
> would be set, which is currently not the case. The user is getting the
> desired behavior with:
>
> runcmd:
> # Disable root and password SSH login
> - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/'
> /etc/ssh/sshd_config
> - sed -i -e
> '/^#ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication
> no/' /etc/ssh/sshd_config
> - sed -i -e '/^#PasswordAuthentication/s/^.*$/PasswordAuthentication
> no/' /etc/ssh/sshd_config
> - systemctl restart sshd
>
> Is this a behior change we might want to make in cloud-init?
>
>
> Those values are not current set so that ssh can respond with a helpful
> method
> which redirects the user to ssh in as a different user.
>
> $ ssh root@10.5.0.26 <mailto:root@10.5.0.26>
> Please login as the user "ubuntu" rather than the user "root".
>
> versus:
>
> % ssh root@10.5.0.27 <mailto:root@10.5.0.27>
> Permission denied (publickey).
>
> I think the current behavior is nicer. Is there a strong requirement to
> not provide the hint?
No, I wouldn't call it a strong requirement, it was more of an
expectation in behavior.
Thanks for the explanation and the fast response.
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
Distinguished Architect LINUX
Technical Team Lead Public Cloud
rjschwei@xxxxxxxx
IRC: robjo
References
