Package: lxc
Version: 1:1.0.5-1
Severity: normal
Tags: security patch upstream
Hi,
one more patch to disable root login over ssh with password by
default.
Cheers,
Ondrej
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lxc depends on:
ii libapparmor1 2.8.0-5.1+b2
ii libc6 2.19-9
ii libcap2 1:2.24-4
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-1
ii multiarch-support 2.19-9
ii python3 3.4.1-1
Versions of packages lxc recommends:
ii lua5.2 5.2.3-1
ii rsync 3.1.1-2
Versions of packages lxc suggests:
ii debootstrap 1.0.60
-- no debconf information
From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ond...@sury.org>
Date: Tue, 19 Aug 2014 17:17:06 +0200
Subject: Change PermitRootLogin yes to PermitRootLogin without-password in
default sshd_config
---
templates/lxc-debian.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 5cf928d..6b2d311 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -129,6 +129,9 @@ EOF
DPKG_MAINTSCRIPT_PACKAGE=openssh DPKG_MAINTSCRIPT_NAME=postinst chroot $rootfs /var/lib/dpkg/info/openssh-server.postinst configure
sed -i "s/root@$(hostname)/root@$hostname/g" $rootfs/etc/ssh/ssh_host_*.pub
+ # Don't allow root login with password
+ sed -i "s/PermitRootLogin yes/PermitRootLogin without-password/" $rootfs/etc/ssh/sshd_config
+
if [ -f "$rootfs/etc/init/ssh.conf.disabled" ]; then
mv $rootfs/etc/init/ssh.conf.disabled $rootfs/etc/init/ssh.conf
fi
