summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/Ssh.hs
diff options
context:
space:
mode:
authorJoey Hess2015-04-28 16:01:19 -0400
committerJoey Hess2015-04-28 16:01:19 -0400
commitb4877efea5375cb83951d6dd1d3dbf9d70208cf8 (patch)
treeb36d7b691cddf3e62eb6a1003d88bd8d7f48dab8 /src/Propellor/Property/Ssh.hs
parent6ec8bf6b20aa33b1f55879b41f75b1470504f74e (diff)
parent960745b95e96e3d276e275554584c9bd13565f5b (diff)
Merge branch 'joeyconfig'
Diffstat (limited to 'src/Propellor/Property/Ssh.hs')
-rw-r--r--src/Propellor/Property/Ssh.hs9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
index 236016ff..37e65728 100644
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@@ -4,6 +4,7 @@ module Propellor.Property.Ssh (
setSshdConfig,
permitRootLogin,
passwordAuthentication,
+ noPasswords,
hasAuthorizedKeys,
authorizedKey,
restarted,
@@ -54,6 +55,14 @@ permitRootLogin = setSshdConfig "PermitRootLogin"
passwordAuthentication :: Bool -> Property NoInfo
passwordAuthentication = setSshdConfig "PasswordAuthentication"
+-- | Configure ssh to not allow password logins.
+--
+-- To prevent lock-out, this is done only once root's
+-- authorized_keys is in place.
+noPasswords :: Property NoInfo
+noPasswords = check (hasAuthorizedKeys (User "root")) $
+ passwordAuthentication False
+
dotDir :: User -> IO FilePath
dotDir user = do
h <- homedir user