From 9302befa677f9a0a775d054c9a28b300d810f4f1 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 28 Jan 2022 16:11:17 +0000
Subject: [PATCH] distro/rhel90: disable pw auth for EC2 images

Disable loging in via password authentication since this is an
official Amazon marketplace requirement

  Linux-based AMIs must not allow SSH password authentication.
  Disable password authentication via your sshd_config file by
  setting PasswordAuthentication to NO.

  Section "Security policies" from
  https://docs.aws.amazon.com/marketplace/latest/userguide/product-and-ami-policies.html
---
 internal/distro/rhel90/distro.go                     | 5 +++++
 internal/distro/rhel90/pipelines.go                  | 4 ++++
 test/data/manifests/rhel_90-aarch64-ami-boot.json    | 8 ++++++++
 test/data/manifests/rhel_90-aarch64-ec2-boot.json    | 8 ++++++++
 test/data/manifests/rhel_90-x86_64-ami-boot.json     | 8 ++++++++
 test/data/manifests/rhel_90-x86_64-ec2-boot.json     | 8 ++++++++
 test/data/manifests/rhel_90-x86_64-ec2_ha-boot.json  | 8 ++++++++
 test/data/manifests/rhel_90-x86_64-ec2_sap-boot.json | 8 ++++++++
 8 files changed, 57 insertions(+)

diff --git a/internal/distro/rhel90/distro.go b/internal/distro/rhel90/distro.go
index 83606d3ac..c4d4519fd 100644
--- a/internal/distro/rhel90/distro.go
+++ b/internal/distro/rhel90/distro.go
@@ -945,6 +945,11 @@ func newDistro(distroName string) distro.Distro {
 		Authselect: &osbuild.AuthselectStageOptions{
 			Profile: "sssd",
 		},
+		SshdConfig: &osbuild.SshdConfigStageOptions{
+			Config: osbuild.SshdConfigConfig{
+				PasswordAuthentication: common.BoolToPtr(false),
+			},
+		},
 	}
 
 	// default EC2 images config (x86_64)
diff --git a/internal/distro/rhel90/pipelines.go b/internal/distro/rhel90/pipelines.go
index e908b95bc..ec73c957c 100644
--- a/internal/distro/rhel90/pipelines.go
+++ b/internal/distro/rhel90/pipelines.go
@@ -501,6 +501,10 @@ func osPipeline(t *imageType,
 		p.AddStage(osbuild.NewDNFConfigStage(dnfConfig))
 	}
 
+	if sshdConfig := imageConfig.SshdConfig; sshdConfig != nil {
+		p.AddStage((osbuild.NewSshdConfigStage(sshdConfig)))
+	}
+
 	if pt != nil {
 		p = prependKernelCmdlineStage(p, t, pt)
 		p.AddStage(osbuild.NewFSTabStage(pt.FSTabStageOptionsV2()))
diff --git a/test/data/manifests/rhel_90-aarch64-ami-boot.json b/test/data/manifests/rhel_90-aarch64-ami-boot.json
index 1adf08f51..a83c38825 100644
--- a/test/data/manifests/rhel_90-aarch64-ami-boot.json
+++ b/test/data/manifests/rhel_90-aarch64-ami-boot.json
@@ -977,6 +977,14 @@
               "profile": "sssd"
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {
diff --git a/test/data/manifests/rhel_90-aarch64-ec2-boot.json b/test/data/manifests/rhel_90-aarch64-ec2-boot.json
index 7cb6f8ef3..fac186795 100644
--- a/test/data/manifests/rhel_90-aarch64-ec2-boot.json
+++ b/test/data/manifests/rhel_90-aarch64-ec2-boot.json
@@ -991,6 +991,14 @@
               "profile": "sssd"
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {
diff --git a/test/data/manifests/rhel_90-x86_64-ami-boot.json b/test/data/manifests/rhel_90-x86_64-ami-boot.json
index 614d8da79..bb00085cf 100644
--- a/test/data/manifests/rhel_90-x86_64-ami-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-ami-boot.json
@@ -972,6 +972,14 @@
               "profile": "sssd"
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {
diff --git a/test/data/manifests/rhel_90-x86_64-ec2-boot.json b/test/data/manifests/rhel_90-x86_64-ec2-boot.json
index 127e6846d..240e0ca77 100644
--- a/test/data/manifests/rhel_90-x86_64-ec2-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-ec2-boot.json
@@ -988,6 +988,14 @@
               "profile": "sssd"
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {
diff --git a/test/data/manifests/rhel_90-x86_64-ec2_ha-boot.json b/test/data/manifests/rhel_90-x86_64-ec2_ha-boot.json
index 45580fc43..7371f3820 100644
--- a/test/data/manifests/rhel_90-x86_64-ec2_ha-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-ec2_ha-boot.json
@@ -1182,6 +1182,14 @@
               "profile": "sssd"
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {
diff --git a/test/data/manifests/rhel_90-x86_64-ec2_sap-boot.json b/test/data/manifests/rhel_90-x86_64-ec2_sap-boot.json
index 8791c9e26..f2b683ed8 100644
--- a/test/data/manifests/rhel_90-x86_64-ec2_sap-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-ec2_sap-boot.json
@@ -1353,6 +1353,14 @@
               ]
             }
           },
+          {
+            "type": "org.osbuild.sshd.config",
+            "options": {
+              "config": {
+                "PasswordAuthentication": false
+              }
+            }
+          },
           {
             "type": "org.osbuild.fstab",
             "options": {