From f34ee5e69b1b551bba68ac55ea5f450b6d02ee89 Mon Sep 17 00:00:00 2001 From: Joel Low Date: Thu, 21 May 2026 11:46:54 +0800 Subject: [PATCH 1/2] security: remove passwords for root and ubuntu This prevents the users from being logged into except by SSH public key authentication. --- ebssurrogate/scripts/qemu-bootstrap-nix.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh index 43e1d98fa..84d630b3b 100755 --- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh +++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh @@ -156,6 +156,10 @@ function clean_system { rm -rf /root/.vpython* rm -rf /root/go rm -rf /mnt/usr/share/doc + + # remove passwords in user-data-cloudimg.img (required for Packer login) + usermod -p '*' ubuntu + usermod -p '*' root } install_nix From 2ab30c5e8976daea3d2e8b9668ed77bf8bcaceed Mon Sep 17 00:00:00 2001 From: Joel Low Date: Thu, 21 May 2026 12:01:37 +0800 Subject: [PATCH 2/2] fix: ensure Password and Challenge Response auth for SSH is disabled --- ebssurrogate/scripts/qemu-bootstrap-nix.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh index 84d630b3b..a76186bf7 100755 --- a/ebssurrogate/scripts/qemu-bootstrap-nix.sh +++ b/ebssurrogate/scripts/qemu-bootstrap-nix.sh @@ -160,6 +160,15 @@ function clean_system { # remove passwords in user-data-cloudimg.img (required for Packer login) usermod -p '*' ubuntu usermod -p '*' root + + # Ensure that PasswordAuthentication is off + # From chroot-boostrap-nix.sh + sed -i -E \ + -e 's/^#?\s*PasswordAuthentication\s+(yes|no)\s*$/PasswordAuthentication no/g' \ + -e 's/^#?\s*ChallengeResponseAuthentication\s+(yes|no)\s*$/ChallengeResponseAuthentication no/g' \ + /etc/ssh/sshd_config + grep -qE "^PasswordAuthentication\s+no" /etc/ssh/sshd_config \ + || { echo "ERROR: PasswordAuthentication is not disabled in sshd_config"; exit 1; } } install_nix