From a7e64aaa6605e97c6ade6603481bd54cd3f18b65 Mon Sep 17 00:00:00 2001
From: Ryan Hitchman <rmmh@google.com>
Date: Fri, 25 Aug 2017 11:21:59 -0700
Subject: [PATCH] Make coreos test images sshd not allow password login.

Configuration is based on:
https://coreos.com/os/docs/latest/customizing-sshd.html

The specific SSHD config is:

    # Use most defaults for sshd configuration.
    UsePrivilegeSeparation sandbox
    Subsystem sftp internal-sftp
    ClientAliveInterval 180
    UseDNS no
    UsePAM yes
    PrintLastLog no # handled by PAM
    PrintMotd no # handled by PAM
    AuthenticationMethods publickey

This will prevent security scanners from triggering.
---
 test/e2e_node/jenkins/coreos-init.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/test/e2e_node/jenkins/coreos-init.json b/test/e2e_node/jenkins/coreos-init.json
index 24e1fb96534..b8eaf437fe7 100644
--- a/test/e2e_node/jenkins/coreos-init.json
+++ b/test/e2e_node/jenkins/coreos-init.json
@@ -24,6 +24,21 @@
         "groups": ["docker", "sudo"]
       }
     }]
+  },
+  "storage": {
+    "files": [
+      {
+        "filesystem": "root",
+        "path": "/etc/ssh/sshd_config",
+        "contents": {
+          "source": "data:,%23%20Use%20most%20defaults%20for%20sshd%20configuration.%0AUsePrivilegeSeparation%20sandbox%0ASubsystem%20sftp%20internal-sftp%0AClientAliveInterval%20180%0AUseDNS%20no%0AUsePAM%20yes%0APrintLastLog%20no%20%23%20handled%20by%20PAM%0APrintMotd%20no%20%23%20handled%20by%20PAM%0AAuthenticationMethods%20publickey",
+          "verification": {}
+        },
+        "mode": 384,
+        "user": {},
+        "group": {}
+      }
+    ]
   }
 }