openssh: disable password authentication by default (except dev)

diff --git a/cookbooks/openssh/attributes/default.rb b/cookbooks/openssh/attributes/default.rb
index d829ee259f49fdaf34055c2fee3b46bc14a1fc82..7e5d783070834b01b88b514c908a2ef2dc971756 100644 (file)
--- a/cookbooks/openssh/attributes/default.rb
+++ b/cookbooks/openssh/attributes/default.rb
@@ -1 +1,2 @@
 default[:openssh][:port] = 22
+default[:openssh][:password_authentication] = false

diff --git a/cookbooks/openssh/templates/default/sshd_config.conf.erb b/cookbooks/openssh/templates/default/sshd_config.conf.erb
index 00a540a5e54e9d114d613d2a277220eb79027bd3..99e427cc450d2bfd3e886a3591f353a0a659348d 100644 (file)
--- a/cookbooks/openssh/templates/default/sshd_config.conf.erb
+++ b/cookbooks/openssh/templates/default/sshd_config.conf.erb
@@ -1,3 +1,9 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 Port <%= node[:openssh][:port] %>
+
+<% if node[:openssh][:password_authentication] -%>
+PasswordAuthentication yes
+<% else -%>
+PasswordAuthentication no
+<% end -%>

diff --git a/roles/dev.rb b/roles/dev.rb
index d546c7d1fda3c0c6e6a72f142b816353e2e63c32..3ba2b803f356b3ea7d565d39bf6d38083d9a98e9 100644 (file)
--- a/roles/dev.rb
+++ b/roles/dev.rb
@@ -151,6 +151,9 @@ default_attributes(
         "kernel.shmmax" => "17179869184"
       }
     }
+  },
+  :openssh => {
+    :password_authentication => true
   }
 )