svn commit: r326564 - head/release/tools

[Colin Percival]

Author: cperciva
Date: Tue Dec  5 09:08:48 2017
New Revision: 326564
URL: https://svnweb.freebsd.org/changeset/base/326564

Log:
  Resurrect r321659: Turn off ChallengeResponseAuthentication for EC2 AMIs.
  
  EC2 instances are normally launched with an SSH public key specified,
  which is then used for logging in (by default, as 'ec2-user').  Having
  ChallengeResponseAuthentication enabled (as FreeBSD's default sshd_config
  does) has no functional effect in a new EC2 instance, since you can't log
  in using a password until a password has been set -- but having this
  enabled results in alerts from automated scanning tools which can detect
  that sshd advertises support for keyboard-interactive logins (since they
  can't detect that accounts have no password set).
  
  EC2 users who want to use passwords to log in to their instances will need
  to set 'ChallengeResponseAuthentication yes' in FreeBSD 12.0 and later.
  
  Discussed with:	gjb, gtetlow, emaste, des
  Requested by:	Amazon
  X-MFC:		No
  Relnotes:	ChallengeResponseAuthentication is turned off by default in
  		Amazon EC2 AMIs.

Modified:
  head/release/tools/ec2.conf

Modified: head/release/tools/ec2.conf
==============================================================================
--- head/release/tools/ec2.conf	Tue Dec  5 08:25:17 2017	(r326563)
+++ head/release/tools/ec2.conf	Tue Dec  5 09:08:48 2017	(r326564)
@@ -81,6 +81,12 @@ vm_extra_pre_umount() {
 	# Load the kernel module for the Amazon "Elastic Network Adapter"
 	echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf
 
+	# Disable ChallengeResponseAuthentication according to EC2
+	# requirements.
+	sed -i '' -e \
+		's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \
+		${DESTDIR}/etc/ssh/sshd_config
+
 	# The first time the AMI boots, the installed "first boot" scripts
 	# should be allowed to run:
 	# * ec2_configinit (download and process EC2 user-data)