From 5d81e77e8c2fa49eeaa889967e121f5e2934b304 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Mon, 13 Aug 2018 09:08:18 -0700
Subject: [PATCH] Disable password auth on dib images

Glean only configures key based authentication credentials. There is no
reason to allow password auth so disable it. This shouldn't be necessary
as no accounts allow password auth in /etc/shadow anyway but this gives
us security in layers like onions and ogres.

Change-Id: Ie17aa901eb3fe7387707a236287a3e880990eeb2
---
 nodepool/elements/infra-package-needs/post-install.d/89-sshd | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nodepool/elements/infra-package-needs/post-install.d/89-sshd b/nodepool/elements/infra-package-needs/post-install.d/89-sshd
index 4e4c93b5ab..1acece743a 100755
--- a/nodepool/elements/infra-package-needs/post-install.d/89-sshd
+++ b/nodepool/elements/infra-package-needs/post-install.d/89-sshd
@@ -26,3 +26,8 @@ set -o pipefail
 # properly login.
 sed -i -e'/PermitRootLogin/d' /etc/ssh/sshd_config \
     && echo "PermitRootLogin Yes" >> /etc/ssh/sshd_config
+
+# NOTE(clarkb): Glean configures ssh keys only and not passwords. Disable
+# unnecessary password auth.
+sed -i -e '/PasswordAuthentication/d' /etc/ssh/sshd_config \
+    && echo "PasswordAuthentication No" >> /etc/ssh/sshd_config