From b31cdd0d8d5a954399a81addf3c63a33920b1f62 Mon Sep 17 00:00:00 2001
From: Sam Thursfield <sam.thursfield@codethink.co.uk>
Date: Fri, 9 Jan 2015 16:12:48 +0000
Subject: Note that all systems should prevent SSH login with password

---
 README.mdwn            | 9 +++++++++
 admin/sshd_config.yaml | 7 +++++++
 2 files changed, 16 insertions(+)
 create mode 100644 admin/sshd_config.yaml

diff --git a/README.mdwn b/README.mdwn
index f8dc1cc5..a978114a 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -172,6 +172,15 @@ this.  If you specify a floating IP that is in use by an existing instance, you
 will steal it for your own instance and probably break one of our web services.
 
 
+General notes
+-------------
+
+Ensure SSH password login is disabled in all systems you deploy! See:
+<https://testbit.eu/is-ssh-insecure/> for why. The Ansible playbook
+admin/sshd_config.yaml can ensure that all systems have password login
+disabled.
+
+
 Administration
 --------------
 
diff --git a/admin/sshd_config.yaml b/admin/sshd_config.yaml
new file mode 100644
index 00000000..dda981b2
--- /dev/null
+++ b/admin/sshd_config.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: all
+  tasks:
+    - name: ensure SSH login with password is disabled
+      lineinfile:
+        dest=/etc/ssh/sshd_config
+        line='PasswordAuthentication no'
-- 
cgit v1.2.1