rattail/rattail-fabric2
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Improve logic for locking down SSH config

Browse source 
what a tricky mess
This commit is contained in:
Lance Edgar 2019-02-09 17:55:12 -06:00
parent 93c2db902e
commit 05d6e093a7
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
rattail_fabric2/ssh.py
View file

@ -50,6 +50,7 @@ def configure(c, allow_root=False):
path = '/etc/ssh/sshd_config' path = '/etc/ssh/sshd_config'
# PermitRootLogin no (or without-password) # PermitRootLogin no (or without-password)
# TODO: this probably needs the same treatment as PasswordAuthentication got
if c.run("grep '^PermitRootLogin ' {}".format(path), warn=True).failed: if c.run("grep '^PermitRootLogin ' {}".format(path), warn=True).failed:
c.sudo('sed -i.bak -e "s/^#PermitRootLogin .*/PermitRootLogin {}/" {}'.format( c.sudo('sed -i.bak -e "s/^#PermitRootLogin .*/PermitRootLogin {}/" {}'.format(
'without-password' if allow_root else 'no', path)) 'without-password' if allow_root else 'no', path))
@ -59,8 +60,11 @@ def configure(c, allow_root=False):
# PasswordAuthentication no # PasswordAuthentication no
if c.run("grep '^PasswordAuthentication ' {}".format(path), warn=True).failed: if c.run("grep '^PasswordAuthentication ' {}".format(path), warn=True).failed:
c.sudo('sed -i.bak -e "s/^#?PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path)) if c.run("grep '^#PasswordAuthentication ' {}".format(path), warn=True).failed:
c.sudo("""bash -c 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config'""")
else:
c.sudo("sed -i.bak -e 's/^#PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
else: else:
c.sudo('sed -i.bak -e "s/^PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path)) c.sudo("sed -i.bak -e 's/^PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
restart(c) restart(c)