Tweak how we lock down SSH config

hopefully avoids some logic gaps where lock-down didn't happen
This commit is contained in:
Lance Edgar 2018-12-12 18:28:20 -06:00
parent 060fa981f4
commit 4344b2eae0

View file

@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
import warnings
from fabric.api import sudo, cd, settings
from fabric.contrib.files import exists, sed, append
from fabric.contrib.files import exists, sed
from rattail_fabric import mkdir, agent_sudo
from rattail_fabric.python import cdvirtualenv
@ -70,15 +70,14 @@ def configure(allow_root=False):
"""
Configure the OpenSSH service
"""
path = '/etc/ssh/sshd_config'
# PermitRootLogin no (or without-password)
value = 'without-password' if allow_root else 'no'
sed('/etc/ssh/sshd_config', r'^#?PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
sed('/etc/ssh/sshd_config', r'^PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
entry = 'PermitRootLogin {}'.format('without-password' if allow_root else 'no')
sed(path, r'^PermitRootLogin\s+.*', entry, use_sudo=True)
append(path, entry, use_sudo=True)
entry = 'PasswordAuthentication no'
sed(path, r'^PasswordAuthentication\s+.*', entry, use_sudo=True)
append(path, entry, use_sudo=True)
# PasswordAuthentication no
sed('/etc/ssh/sshd_config', r'^#?PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
sed('/etc/ssh/sshd_config', r'^PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
restart()