From dd60d2315404d0ece053ade46bc2fd67f98dd86d Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 10 Nov 2021 08:56:33 +0000 Subject: [PATCH] security(ssh-adduser): disable UsePAM on macOS (otherwise passwords are still allowed) --- ssh-utils/ssh-adduser.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/ssh-utils/ssh-adduser.sh b/ssh-utils/ssh-adduser.sh index 99a1586..17794a3 100644 --- a/ssh-utils/ssh-adduser.sh +++ b/ssh-utils/ssh-adduser.sh @@ -53,14 +53,24 @@ function __run_ssh_adduser() { sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash" # TODO ensure that ssh-password login is off - my_user="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)" - if [[ -n ${my_user} ]]; then - + my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)" + my_pam="" + if [[ "Darwin" == "$(uname -s)" ]]; then + # Turn off PAM for macOS or it will allow password login + my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)" + fi + if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then echo "######################################################################" echo "# #" echo "# WARNING #" echo "# #" - echo "# Found /etc/ssh/sshd_config: PasswordAuthentication yes #" + echo "# Found /etc/ssh/sshd_config: #" + if [[ -n ${my_pass} ]]; then + echo "# PasswordAuthentication yes #" + fi + if [[ -n ${my_pam} ]]; then + echo "# UsePAM yes #" + fi echo "# #" echo "# This is EXTREMELY DANGEROUS and insecure. #" echo "# We'll attempt to fix this now... #" @@ -69,6 +79,9 @@ function __run_ssh_adduser() { sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \ /etc/ssh/sshd_config + sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \ + /etc/ssh/sshd_config + if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then echo "# FAILED. Please check /etc/ssh/sshd_config manually. #" else -- 2.25.1