Disable ssh password auth (#198)

examples/machine-digitalocean.yaml

@@ -32,7 +32,8 @@ spec:
       backups: false
       ipv6: false
       private_networking: true
-      monitoring: true
+      # Monitoring must be turned off for CoreOS Container Linux
+      monitoring: false
       tags:
         - "machine-controller"
     # Can be 'ubuntu', 'coreos' or 'centos'

pkg/controller/machine.go

@@ -261,8 +261,9 @@ func (c *Controller) updateMachineError(machine *machinev1alpha1.Machine, reason
 // and at the same time terminal error will be returned to the caller
 // otherwise it will return formatted error according to errMsg
 func (c *Controller) updateMachineErrorIfTerminalError(machine *machinev1alpha1.Machine, stReason machinev1alpha1.MachineStatusError, stMessage string, err error, errMsg string) error {
+	c.recorder.Eventf(machine, corev1.EventTypeWarning, string(stReason), stMessage)
 	if ok, _, _ := cloudprovidererrors.IsTerminalError(err); ok {
-		if _, errNested := c.updateMachineError(machine, machinev1alpha1.DeleteMachineError, stMessage); errNested != nil {
+		if _, errNested := c.updateMachineError(machine, stReason, stMessage); errNested != nil {
 			return fmt.Errorf("failed to update machine error after due to %v, terminal error = %v", errNested, stMessage)
 		}
 		return err
@@ -496,11 +497,13 @@ func (c *Controller) ensureInstanceExistsForMachine(prov cloud.Provider, machine
 
 			kubeconfig, err := c.createBootstrapKubeconfig(machine.Name)
 			if err != nil {
+				c.recorder.Eventf(machine, corev1.EventTypeWarning, "CreateBootstrapKubeconfigFailed", "Creating bootstrap kubeconfig failed: %v", err)
 				return fmt.Errorf("failed to create bootstrap kubeconfig: %v", err)
 			}
 
 			userdata, err := userdataProvider.UserData(machine.Spec, kubeconfig, prov, c.clusterDNSIPs)
 			if err != nil {
+				c.recorder.Eventf(machine, corev1.EventTypeWarning, "UserdataRenderingFailed", "Userdata rendering failed: %v", err)
 				return fmt.Errorf("failed get userdata: %v", err)
 			}
 

pkg/userdata/centos/testdata/docker-1.13-aws.golden

@@ -1,6 +1,8 @@
 #cloud-config
 hostname: node1
 
+ssh_pwauth: no
+
 
 
 write_files:

pkg/userdata/centos/userdata.go

@@ -159,6 +159,8 @@ package_upgrade: true
 package_reboot_if_required: true
 {{- end }}
 
+ssh_pwauth: no
+
 {{ if ne (len .ProviderConfig.SSHPublicKeys) 0 }}
 ssh_authorized_keys:
 {{- range .ProviderConfig.SSHPublicKeys }}

pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden

@@ -72,6 +72,21 @@
           "verification": {}
         },
         "mode": 384
+      },
+      {
+        "filesystem": "root",
+        "group": {
+          "id": 0
+        },
+        "path": "/etc/ssh/sshd_config",
+        "user": {
+          "id": 0
+        },
+        "contents": {
+          "source": "data:,%23%20Use%20most%20defaults%20for%20sshd%20configuration.%0ASubsystem%20sftp%20internal-sftp%0AClientAliveInterval%20180%0AUseDNS%20no%0AUsePAM%20yes%0APrintLastLog%20no%20%23%20handled%20by%20PAM%0APrintMotd%20no%20%23%20handled%20by%20PAM%0APasswordAuthentication%20no%0AChallengeResponseAuthentication%20no%0A",
+          "verification": {}
+        },
+        "mode": 384
       }
     ]
   },

pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-multiple-dns.golden

@@ -72,6 +72,21 @@
           "verification": {}
         },
         "mode": 384
+      },
+      {
+        "filesystem": "root",
+        "group": {
+          "id": 0
+        },
+        "path": "/etc/ssh/sshd_config",
+        "user": {
+          "id": 0
+        },
+        "contents": {
+          "source": "data:,%23%20Use%20most%20defaults%20for%20sshd%20configuration.%0ASubsystem%20sftp%20internal-sftp%0AClientAliveInterval%20180%0AUseDNS%20no%0AUsePAM%20yes%0APrintLastLog%20no%20%23%20handled%20by%20PAM%0APrintMotd%20no%20%23%20handled%20by%20PAM%0APasswordAuthentication%20no%0AChallengeResponseAuthentication%20no%0A",
+          "verification": {}
+        },
+        "mode": 384
       }
     ]
   },

pkg/userdata/coreos/testdata/docker-1.12.6-disable-auto-update-aws.golden

@@ -72,6 +72,21 @@
           "verification": {}
         },
         "mode": 384
+      },
+      {
+        "filesystem": "root",
+        "group": {
+          "id": 0
+        },
+        "path": "/etc/ssh/sshd_config",
+        "user": {
+          "id": 0
+        },
+        "contents": {
+          "source": "data:,%23%20Use%20most%20defaults%20for%20sshd%20configuration.%0ASubsystem%20sftp%20internal-sftp%0AClientAliveInterval%20180%0AUseDNS%20no%0AUsePAM%20yes%0APrintLastLog%20no%20%23%20handled%20by%20PAM%0APrintMotd%20no%20%23%20handled%20by%20PAM%0APasswordAuthentication%20no%0AChallengeResponseAuthentication%20no%0A",
+          "verification": {}
+        },
+        "mode": 384
       }
     ]
   },

pkg/userdata/coreos/userdata.go

@@ -258,4 +258,23 @@ storage:
       mode: 0600
       contents:
         inline: '{{ .MachineSpec.Name }}'
+
+    - path: /etc/ssh/sshd_config
+      filesystem: root
+      mode: 0600
+      user:
+        id: 0
+      group:
+        id: 0
+      contents:
+        inline: |
+          # Use most defaults for sshd configuration.
+          Subsystem sftp internal-sftp
+          ClientAliveInterval 180
+          UseDNS no
+          UsePAM yes
+          PrintLastLog no # handled by PAM
+          PrintMotd no # handled by PAM
+          PasswordAuthentication no
+          ChallengeResponseAuthentication no
 `

pkg/userdata/coreos/userdata_test.go

@@ -158,7 +158,7 @@ func TestProvider_UserData(t *testing.T) {
 
 			userdata, err := p.UserData(spec, kubeconfig, test.ccProvider, test.DNSIPs)
 			if err != nil {
-				return
+				t.Fatal(err)
 			}
 
 			golden := filepath.Join("testdata", test.name+".golden")

pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden

@@ -3,6 +3,8 @@ hostname: node1
 
 package_update: true
 
+ssh_pwauth: no
+
 ssh_authorized_keys:
 - "ssh-rsa AAABBB"
 - "ssh-rsa CCCDDD"

pkg/userdata/ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden

@@ -5,6 +5,8 @@ package_update: true
 package_upgrade: true
 package_reboot_if_required: true
 
+ssh_pwauth: no
+
 ssh_authorized_keys:
 - "ssh-rsa AAABBB"
 - "ssh-rsa CCCDDD"

pkg/userdata/ubuntu/testdata/docker-17.03-openstack-kubelet-v-version-prefix.golden

@@ -5,6 +5,8 @@ package_update: true
 package_upgrade: true
 package_reboot_if_required: true
 
+ssh_pwauth: no
+
 ssh_authorized_keys:
 - "ssh-rsa AAABBB"
 - "ssh-rsa CCCDDD"

pkg/userdata/ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden

@@ -5,6 +5,8 @@ package_update: true
 package_upgrade: true
 package_reboot_if_required: true
 
+ssh_pwauth: no
+
 ssh_authorized_keys:
 - "ssh-rsa AAABBB"
 - "ssh-rsa CCCDDD"

pkg/userdata/ubuntu/userdata.go

@@ -161,6 +161,8 @@ package_upgrade: true
 package_reboot_if_required: true
 {{- end }}
 
+ssh_pwauth: no
+
 ssh_authorized_keys:
 {{- range .ProviderConfig.SSHPublicKeys }}
 - "{{ . }}"