distro/rhel85: disable pw auth for EC2 images

Disable loging in via password authentication since this is an official Amazon marketplace requirement Linux-based AMIs must not allow SSH password authentication. Disable password authentication via your sshd_config file by setting PasswordAuthentication to NO. Section "Security policies" from https://docs.aws.amazon.com/marketplace/latest/userguide/product-and-ami-policies.html
2022-01-28 16:06:38 +00:00 · 2022-01-28 16:06:38 +00:00 · 8aede24057
commit 8aede24057
parent 6f132181d9
6 changed files with 46 additions and 0 deletions
--- a/internal/distro/rhel85/pipelines.go
+++ b/internal/distro/rhel85/pipelines.go
@ -371,6 +371,12 @@ func ec2BaseTreePipeline(repos []rpmmd.RepoConfig, packages []rpmmd.PackageSpec,
 		p.AddStage(osbuild.NewRHSMStage(rhsmStageOptions))
 	}

+	p.AddStage((osbuild.NewSshdConfigStage(&osbuild.SshdConfigStageOptions{
+		Config: osbuild.SshdConfigConfig{
+			PasswordAuthentication: common.BoolToPtr(false),
+		},
+	})))
+
 	return p, nil
 }

--- a/test/data/manifests/rhel_85-aarch64-ami-boot.json
+++ b/test/data/manifests/rhel_85-aarch64-ami-boot.json
@ -1060,6 +1060,14 @@
              }
            }
          },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
          {
            "type": "org.osbuild.fstab",
            "options": {
--- a/test/data/manifests/rhel_85-aarch64-ec2-boot.json
+++ b/test/data/manifests/rhel_85-aarch64-ec2-boot.json
@ -1074,6 +1074,14 @@
              }
            }
          },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
          {
            "type": "org.osbuild.fstab",
            "options": {
--- a/test/data/manifests/rhel_85-x86_64-ami-boot.json
+++ b/test/data/manifests/rhel_85-x86_64-ami-boot.json
@ -1035,6 +1035,14 @@
              }
            }
          },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
          {
            "type": "org.osbuild.dracut.conf",
            "options": {
--- a/test/data/manifests/rhel_85-x86_64-ec2-boot.json
+++ b/test/data/manifests/rhel_85-x86_64-ec2-boot.json
@ -1050,6 +1050,14 @@
              }
            }
          },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
          {
            "type": "org.osbuild.dracut.conf",
            "options": {
--- a/test/data/manifests/rhel_85-x86_64-ec2_ha-boot.json
+++ b/test/data/manifests/rhel_85-x86_64-ec2_ha-boot.json
@ -1234,6 +1234,14 @@
              }
            }
          },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
          {
            "type": "org.osbuild.dracut.conf",
            "options": {