From: Grant Slater <git@firefishy.com>
Date: Thu, 31 Mar 2022 13:13:15 +0000 (+0100)
Subject: openssh: disable password authentication by default (except dev)
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/95e0606e9e28b0fecc515a6505d97d9e1618d781

openssh: disable password authentication by default (except dev)
---

diff --git a/cookbooks/openssh/attributes/default.rb b/cookbooks/openssh/attributes/default.rb
index d829ee259..7e5d78307 100644
--- a/cookbooks/openssh/attributes/default.rb
+++ b/cookbooks/openssh/attributes/default.rb
@@ -1 +1,2 @@
 default[:openssh][:port] = 22
+default[:openssh][:password_authentication] = false
diff --git a/cookbooks/openssh/templates/default/sshd_config.conf.erb b/cookbooks/openssh/templates/default/sshd_config.conf.erb
index 00a540a5e..99e427cc4 100644
--- a/cookbooks/openssh/templates/default/sshd_config.conf.erb
+++ b/cookbooks/openssh/templates/default/sshd_config.conf.erb
@@ -1,3 +1,9 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 Port <%= node[:openssh][:port] %>
+
+<% if node[:openssh][:password_authentication] -%>
+PasswordAuthentication yes
+<% else -%>
+PasswordAuthentication no
+<% end -%>
diff --git a/roles/dev.rb b/roles/dev.rb
index d546c7d1f..3ba2b803f 100644
--- a/roles/dev.rb
+++ b/roles/dev.rb
@@ -151,6 +151,9 @@ default_attributes(
         "kernel.shmmax" => "17179869184"
       }
     }
+  },
+  :openssh => {
+    :password_authentication => true
   }
 )