projects
/
webi-installers
/
.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
0d3bff0
)
security(ssh-adduser): disable UsePAM on macOS (otherwise passwords are still allowed)
author
AJ ONeal
<aj@therootcompany.com>
Wed, 10 Nov 2021 08:56:33 +0000
(08:56 +0000)
committer
AJ ONeal
<aj@therootcompany.com>
Sun, 14 Nov 2021 08:18:45 +0000
(08:18 +0000)
ssh-utils/ssh-adduser.sh
patch
|
blob
|
history
diff --git
a/ssh-utils/ssh-adduser.sh
b/ssh-utils/ssh-adduser.sh
index 99a158636921e4c4e4d0b0779c853f662185fa4d..17794a37f3548516acebd3f118874ee152508548 100644
(file)
--- a/
ssh-utils/ssh-adduser.sh
+++ b/
ssh-utils/ssh-adduser.sh
@@
-53,14
+53,24
@@
function __run_ssh_adduser() {
sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
# TODO ensure that ssh-password login is off
sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
# TODO ensure that ssh-password login is off
- my_user="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
- if [[ -n ${my_user} ]]; then
-
+ my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
+ my_pam=""
+ if [[ "Darwin" == "$(uname -s)" ]]; then
+ # Turn off PAM for macOS or it will allow password login
+ my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
+ fi
+ if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
echo "######################################################################"
echo "# #"
echo "# WARNING #"
echo "# #"
echo "######################################################################"
echo "# #"
echo "# WARNING #"
echo "# #"
- echo "# Found /etc/ssh/sshd_config: PasswordAuthentication yes #"
+ echo "# Found /etc/ssh/sshd_config: #"
+ if [[ -n ${my_pass} ]]; then
+ echo "# PasswordAuthentication yes #"
+ fi
+ if [[ -n ${my_pam} ]]; then
+ echo "# UsePAM yes #"
+ fi
echo "# #"
echo "# This is EXTREMELY DANGEROUS and insecure. #"
echo "# We'll attempt to fix this now... #"
echo "# #"
echo "# This is EXTREMELY DANGEROUS and insecure. #"
echo "# We'll attempt to fix this now... #"
@@
-69,6
+79,9
@@
function __run_ssh_adduser() {
sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
/etc/ssh/sshd_config
sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
/etc/ssh/sshd_config
+ sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
+ /etc/ssh/sshd_config
+
if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
else
if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
echo "# FAILED. Please check /etc/ssh/sshd_config manually. #"
else