From 90cebf03370f1e892577ec4232ec3412f54e2d7e Mon Sep 17 00:00:00 2001 From: Christian Kellner Date: Fri, 28 Jan 2022 16:10:42 +0000 Subject: [PATCH] distro/rhel86: disable pw auth for EC2 images Disable loging in via password authentication since this is an official Amazon marketplace requirement Linux-based AMIs must not allow SSH password authentication. Disable password authentication via your sshd_config file by setting PasswordAuthentication to NO. Section "Security policies" from https://docs.aws.amazon.com/marketplace/latest/userguide/product-and-ami-policies.html --- internal/distro/rhel86/distro.go | 5 +++++ internal/distro/rhel86/pipelines.go | 4 ++++ test/data/manifests/centos_8-aarch64-ami-boot.json | 8 ++++++++ test/data/manifests/centos_8-x86_64-ami-boot.json | 8 ++++++++ test/data/manifests/rhel_86-aarch64-ami-boot.json | 8 ++++++++ test/data/manifests/rhel_86-aarch64-ec2-boot.json | 8 ++++++++ test/data/manifests/rhel_86-x86_64-ami-boot.json | 8 ++++++++ test/data/manifests/rhel_86-x86_64-ec2-boot.json | 8 ++++++++ test/data/manifests/rhel_86-x86_64-ec2_ha-boot.json | 8 ++++++++ test/data/manifests/rhel_86-x86_64-ec2_sap-boot.json | 8 ++++++++ 10 files changed, 73 insertions(+) diff --git a/internal/distro/rhel86/distro.go b/internal/distro/rhel86/distro.go index 98fe32dcb..5bf0935c9 100644 --- a/internal/distro/rhel86/distro.go +++ b/internal/distro/rhel86/distro.go @@ -944,6 +944,11 @@ func newDistro(distroName string) distro.Distro { Authselect: &osbuild.AuthselectStageOptions{ Profile: "sssd", }, + SshdConfig: &osbuild.SshdConfigStageOptions{ + Config: osbuild.SshdConfigConfig{ + PasswordAuthentication: common.BoolToPtr(false), + }, + }, } // default EC2 images config (x86_64) diff --git a/internal/distro/rhel86/pipelines.go b/internal/distro/rhel86/pipelines.go index c6bae041f..0d83fd1ba 100644 --- a/internal/distro/rhel86/pipelines.go +++ b/internal/distro/rhel86/pipelines.go @@ -515,6 +515,10 @@ func osPipeline(t *imageType, p.AddStage(osbuild.NewDNFConfigStage(dnfConfig)) } + if sshdConfig := imageConfig.SshdConfig; sshdConfig != nil { + p.AddStage((osbuild.NewSshdConfigStage(sshdConfig))) + } + if pt != nil { p = prependKernelCmdlineStage(p, t, pt) p.AddStage(osbuild.NewFSTabStage(pt.FSTabStageOptionsV2())) diff --git a/test/data/manifests/centos_8-aarch64-ami-boot.json b/test/data/manifests/centos_8-aarch64-ami-boot.json index acf5f4e70..f11fef49f 100644 --- a/test/data/manifests/centos_8-aarch64-ami-boot.json +++ b/test/data/manifests/centos_8-aarch64-ami-boot.json @@ -1031,6 +1031,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/centos_8-x86_64-ami-boot.json b/test/data/manifests/centos_8-x86_64-ami-boot.json index f1d01173b..0a3375e86 100644 --- a/test/data/manifests/centos_8-x86_64-ami-boot.json +++ b/test/data/manifests/centos_8-x86_64-ami-boot.json @@ -1015,6 +1015,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-aarch64-ami-boot.json b/test/data/manifests/rhel_86-aarch64-ami-boot.json index 4b0090907..5b4f38830 100644 --- a/test/data/manifests/rhel_86-aarch64-ami-boot.json +++ b/test/data/manifests/rhel_86-aarch64-ami-boot.json @@ -1058,6 +1058,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-aarch64-ec2-boot.json b/test/data/manifests/rhel_86-aarch64-ec2-boot.json index a0904bc31..2c4e04902 100644 --- a/test/data/manifests/rhel_86-aarch64-ec2-boot.json +++ b/test/data/manifests/rhel_86-aarch64-ec2-boot.json @@ -1072,6 +1072,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-x86_64-ami-boot.json b/test/data/manifests/rhel_86-x86_64-ami-boot.json index 4aa88901d..0d1968968 100644 --- a/test/data/manifests/rhel_86-x86_64-ami-boot.json +++ b/test/data/manifests/rhel_86-x86_64-ami-boot.json @@ -1045,6 +1045,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-x86_64-ec2-boot.json b/test/data/manifests/rhel_86-x86_64-ec2-boot.json index f63afd834..5e153a7cc 100644 --- a/test/data/manifests/rhel_86-x86_64-ec2-boot.json +++ b/test/data/manifests/rhel_86-x86_64-ec2-boot.json @@ -1061,6 +1061,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-x86_64-ec2_ha-boot.json b/test/data/manifests/rhel_86-x86_64-ec2_ha-boot.json index 556b3ba29..8b050a8ab 100644 --- a/test/data/manifests/rhel_86-x86_64-ec2_ha-boot.json +++ b/test/data/manifests/rhel_86-x86_64-ec2_ha-boot.json @@ -1248,6 +1248,14 @@ "profile": "sssd" } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": { diff --git a/test/data/manifests/rhel_86-x86_64-ec2_sap-boot.json b/test/data/manifests/rhel_86-x86_64-ec2_sap-boot.json index 3e0993bf4..df426b2ae 100644 --- a/test/data/manifests/rhel_86-x86_64-ec2_sap-boot.json +++ b/test/data/manifests/rhel_86-x86_64-ec2_sap-boot.json @@ -1416,6 +1416,14 @@ ] } }, + { + "type": "org.osbuild.sshd.config", + "options": { + "config": { + "PasswordAuthentication": false + } + } + }, { "type": "org.osbuild.fstab", "options": {