Merge branch 'joeyconfig'

author: Joey Hess <joeyh@joeyh.name> 2015-04-28 16:01:19 -0400
committer: Joey Hess <joeyh@joeyh.name> 2015-04-28 16:01:19 -0400
commit: b4877efea5375cb83951d6dd1d3dbf9d70208cf8 (patch)
tree: b36d7b691cddf3e62eb6a1003d88bd8d7f48dab8 /src/Propellor/Property/Ssh.hs
parent: 6ec8bf6b20aa33b1f55879b41f75b1470504f74e (diff)
parent: 960745b95e96e3d276e275554584c9bd13565f5b (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
index 236016ff..37e65728 100644
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@@ -4,6 +4,7 @@ module Propellor.Property.Ssh (
 	setSshdConfig,
 	permitRootLogin,
 	passwordAuthentication,
+	noPasswords,
 	hasAuthorizedKeys,
 	authorizedKey,
 	restarted,
@@ -54,6 +55,14 @@ permitRootLogin = setSshdConfig "PermitRootLogin"
 passwordAuthentication :: Bool -> Property NoInfo
 passwordAuthentication = setSshdConfig "PasswordAuthentication"
 
+-- | Configure ssh to not allow password logins.
+--
+-- To prevent lock-out, this is done only once root's 
+-- authorized_keys is in place.
+noPasswords :: Property NoInfo
+noPasswords = check (hasAuthorizedKeys (User "root")) $
+	passwordAuthentication False
+
 dotDir :: User -> IO FilePath
 dotDir user = do
 	h <- homedir user
author	Joey Hess <joeyh@joeyh.name>	2015-04-28 16:01:19 -0400
committer	Joey Hess <joeyh@joeyh.name>	2015-04-28 16:01:19 -0400
commit	b4877efea5375cb83951d6dd1d3dbf9d70208cf8 (patch)
tree	b36d7b691cddf3e62eb6a1003d88bd8d7f48dab8 /src/Propellor/Property/Ssh.hs
parent	6ec8bf6b20aa33b1f55879b41f75b1470504f74e (diff)
parent	960745b95e96e3d276e275554584c9bd13565f5b (diff)