Note that all systems should prevent SSH login with password

author: Sam Thursfield <sam.thursfield@codethink.co.uk> 2015-01-09 16:12:48 +0000
committer: Sam Thursfield <sam.thursfield@codethink.co.uk> 2015-01-09 16:12:48 +0000
commit: b31cdd0d8d5a954399a81addf3c63a33920b1f62 (patch)
tree: 12d0178d7ce0e246a8811e57676dd0b64c9d7478
parent: 84b9cc1b8e26f2799879f57226c0bcb11bd8b7b6 (diff)
download: infrastructure-b31cdd0d8d5a954399a81addf3c63a33920b1f62.tar.gz
2 files changed, 16 insertions, 0 deletions
diff --git a/README.mdwn b/README.mdwn
index f8dc1cc5..a978114a 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -172,6 +172,15 @@ this.  If you specify a floating IP that is in use by an existing instance, you
 will steal it for your own instance and probably break one of our web services.
 
 
+General notes
+-------------
+
+Ensure SSH password login is disabled in all systems you deploy! See:
+<https://testbit.eu/is-ssh-insecure/> for why. The Ansible playbook
+admin/sshd_config.yaml can ensure that all systems have password login
+disabled.
+
+
 Administration
 --------------
 
diff --git a/admin/sshd_config.yaml b/admin/sshd_config.yaml
new file mode 100644
index 00000000..dda981b2
--- /dev/null
+++ b/admin/sshd_config.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: all
+  tasks:
+    - name: ensure SSH login with password is disabled
+      lineinfile:
+        dest=/etc/ssh/sshd_config
+        line='PasswordAuthentication no'
author	Sam Thursfield <sam.thursfield@codethink.co.uk>	2015-01-09 16:12:48 +0000
committer	Sam Thursfield <sam.thursfield@codethink.co.uk>	2015-01-09 16:12:48 +0000
commit	b31cdd0d8d5a954399a81addf3c63a33920b1f62 (patch)
tree	12d0178d7ce0e246a8811e57676dd0b64c9d7478
parent	84b9cc1b8e26f2799879f57226c0bcb11bd8b7b6 (diff)
download	infrastructure-b31cdd0d8d5a954399a81addf3c63a33920b1f62.tar.gz