From dd60d2315404d0ece053ade46bc2fd67f98dd86d Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Wed, 10 Nov 2021 08:56:33 +0000
Subject: [PATCH] security(ssh-adduser): disable UsePAM on macOS (otherwise
passwords are still allowed)
---
ssh-utils/ssh-adduser.sh | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/ssh-utils/ssh-adduser.sh b/ssh-utils/ssh-adduser.sh
index 99a1586..17794a3 100644
--- a/ssh-utils/ssh-adduser.sh
+++ b/ssh-utils/ssh-adduser.sh
@@ -53,14 +53,24 @@ function __run_ssh_adduser() {
sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
# TODO ensure that ssh-password login is off
- my_user="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
- if [[ -n ${my_user} ]]; then
-
+ my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
+ my_pam=""
+ if [[ "Darwin" == "$(uname -s)" ]]; then
+ # Turn off PAM for macOS or it will allow password login
+ my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
+ fi
+ if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
echo "######################################################################"
echo "# #"
echo "# WARNING #"
echo "# #"
- echo "# Found /etc/ssh/sshd_config: PasswordAuthentication yes #"
+ echo "# Found /etc/ssh/sshd_config: #"
+ if [[ -n ${my_pass} ]]; then
+ echo "# PasswordAuthentication yes #"
+ fi
+ if [[ -n ${my_pam} ]]; then
+ echo "# UsePAM yes #"
+ fi
echo "# #"
echo "# This is EXTREMELY DANGEROUS and insecure. #"
echo "# We'll attempt to fix this now... #"
@@ -69,6 +79,9 @@ function __run_ssh_adduser() {
sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
/etc/ssh/sshd_config
+ sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
+ /etc/ssh/sshd_config
+
if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
else
--
2.25.1