Changeset - 05d6e093a771
[Not reviewed]
0 1 0
Lance Edgar - 6 years ago 2019-02-09 17:55:12
ledgar@techsupport.coop
Improve logic for locking down SSH config

what a tricky mess
1 file changed with 6 insertions and 2 deletions:
0 comments (0 inline, 0 general) First comment
rattail_fabric2/ssh.py
Show inline comments
 
@@ -50,6 +50,7 @@ def configure(c, allow_root=False):
 
    path = '/etc/ssh/sshd_config'
 

	
 
    # PermitRootLogin no (or without-password)
 
    # TODO: this probably needs the same treatment as PasswordAuthentication got
 
    if c.run("grep '^PermitRootLogin ' {}".format(path), warn=True).failed:
 
        c.sudo('sed -i.bak -e "s/^#PermitRootLogin .*/PermitRootLogin {}/" {}'.format(
 
            'without-password' if allow_root else 'no', path))
 
@@ -59,8 +60,11 @@ def configure(c, allow_root=False):
 

	
 
    # PasswordAuthentication no
 
    if c.run("grep '^PasswordAuthentication ' {}".format(path), warn=True).failed:
 
        c.sudo('sed -i.bak -e "s/^#?PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path))
 
        if c.run("grep '^#PasswordAuthentication ' {}".format(path), warn=True).failed:
 
            c.sudo("""bash -c 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config'""")
 
        else:
 
            c.sudo("sed -i.bak -e 's/^#PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
 
    else:
 
        c.sudo('sed -i.bak -e "s/^PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path))
 
        c.sudo("sed -i.bak -e 's/^PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
 

	
 
    restart(c)
0 comments (0 inline, 0 general) First comment
You need to be logged in to comment. Login now