From 7964ed7caf49c2ad0a75490e7fd2dfb9ef7c3043 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 23 Apr 2015 11:58:37 -0400 Subject: propellor spin --- src/Propellor/Property/Ssh.hs | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 236016ff..37e65728 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -4,6 +4,7 @@ module Propellor.Property.Ssh ( setSshdConfig, permitRootLogin, passwordAuthentication, + noPasswords, hasAuthorizedKeys, authorizedKey, restarted, @@ -54,6 +55,14 @@ permitRootLogin = setSshdConfig "PermitRootLogin" passwordAuthentication :: Bool -> Property NoInfo passwordAuthentication = setSshdConfig "PasswordAuthentication" +-- | Configure ssh to not allow password logins. +-- +-- To prevent lock-out, this is done only once root's +-- authorized_keys is in place. +noPasswords :: Property NoInfo +noPasswords = check (hasAuthorizedKeys (User "root")) $ + passwordAuthentication False + dotDir :: User -> IO FilePath dotDir user = do h <- homedir user -- cgit v1.2.3