diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-01-09 16:12:48 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-01-09 16:12:48 +0000 |
commit | b31cdd0d8d5a954399a81addf3c63a33920b1f62 (patch) | |
tree | 12d0178d7ce0e246a8811e57676dd0b64c9d7478 | |
parent | 84b9cc1b8e26f2799879f57226c0bcb11bd8b7b6 (diff) | |
download | infrastructure-b31cdd0d8d5a954399a81addf3c63a33920b1f62.tar.gz |
Note that all systems should prevent SSH login with password
-rw-r--r-- | README.mdwn | 9 | ||||
-rw-r--r-- | admin/sshd_config.yaml | 7 |
2 files changed, 16 insertions, 0 deletions
diff --git a/README.mdwn b/README.mdwn index f8dc1cc5..a978114a 100644 --- a/README.mdwn +++ b/README.mdwn @@ -172,6 +172,15 @@ this. If you specify a floating IP that is in use by an existing instance, you will steal it for your own instance and probably break one of our web services. +General notes +------------- + +Ensure SSH password login is disabled in all systems you deploy! See: +<https://testbit.eu/is-ssh-insecure/> for why. The Ansible playbook +admin/sshd_config.yaml can ensure that all systems have password login +disabled. + + Administration -------------- diff --git a/admin/sshd_config.yaml b/admin/sshd_config.yaml new file mode 100644 index 00000000..dda981b2 --- /dev/null +++ b/admin/sshd_config.yaml @@ -0,0 +1,7 @@ +--- +- hosts: all + tasks: + - name: ensure SSH login with password is disabled + lineinfile: + dest=/etc/ssh/sshd_config + line='PasswordAuthentication no' |