From deca28c1583386c6d3fa6dc9a3dad3dbc519ff95 Mon Sep 17 00:00:00 2001
From: Paul Meyer <paulmey@microsoft.com>
Date: Thu, 16 Jul 2020 22:26:06 +0000
Subject: [PATCH] Disable password auth on ssh key Linux builds

---
 builder/azure/arm/config.go                         |  6 +++---
 builder/azure/arm/config_test.go                    | 12 ++++++++++--
 builder/azure/arm/template_factory.go               |  2 +-
 ...mplate_factory_test.TestPlanInfo01.approved.json |  2 +-
 ...mplate_factory_test.TestPlanInfo02.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment04.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment06.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment08.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment10.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment12.approved.json |  2 +-
 ...est.TestVirtualMachineDeployment14.approved.json |  2 +-
 builder/azure/arm/template_factory_test.go          | 13 ++++++++-----
 12 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/builder/azure/arm/config.go b/builder/azure/arm/config.go
index 5e6e8d1e7..4f31bdbeb 100644
--- a/builder/azure/arm/config.go
+++ b/builder/azure/arm/config.go
@@ -697,10 +697,10 @@ func setUserNamePassword(c *Config) error {
 	}
 	c.UserName = c.Comm.SSHUsername
 
-	if c.Comm.SSHPassword == "" {
-		c.Comm.SSHPassword = c.Password
+	// if user has an explicit wish to use an SSH password, we'll set it
+	if c.Comm.SSHPassword != "" {
+		c.Password = c.Comm.SSHPassword
 	}
-	c.Password = c.Comm.SSHPassword
 
 	if c.Comm.Type == "ssh" {
 		return nil
diff --git a/builder/azure/arm/config_test.go b/builder/azure/arm/config_test.go
index fa03ecd97..3f6df81ff 100644
--- a/builder/azure/arm/config_test.go
+++ b/builder/azure/arm/config_test.go
@@ -71,8 +71,8 @@ func TestConfigUserNameOverride(t *testing.T) {
 	if c.Password != c.tmpAdminPassword {
 		t.Errorf("Expected 'Password' to be set to generated password, but found %q!", c.Password)
 	}
-	if c.Comm.SSHPassword != c.tmpAdminPassword {
-		t.Errorf("Expected 'c.Comm.SSHPassword' to be set to generated password, but found %q!", c.Comm.SSHPassword)
+	if c.Comm.SSHPassword != "" {
+		t.Errorf("Expected 'c.Comm.SSHPassword' to be empty, but found %q!", c.Comm.SSHPassword)
 	}
 	if c.UserName != "override_username" {
 		t.Errorf("Expected 'UserName' to be set to 'override_username', but found %q!", c.UserName)
@@ -2093,6 +2093,14 @@ func getPackerCommunicatorConfiguration() map[string]string {
 	return config
 }
 
+func getPackerSSHPasswordCommunicatorConfiguration() map[string]string {
+	config := map[string]string{
+		"ssh_password": "superS3cret",
+	}
+
+	return config
+}
+
 func TestConfigShouldRejectMalformedUserAssignedManagedIdentities(t *testing.T) {
 	config := map[string]interface{}{
 		"capture_name_prefix":    "ignore",
diff --git a/builder/azure/arm/template_factory.go b/builder/azure/arm/template_factory.go
index dd2ae5637..3dbe8902e 100644
--- a/builder/azure/arm/template_factory.go
+++ b/builder/azure/arm/template_factory.go
@@ -55,7 +55,7 @@ func GetVirtualMachineDeployment(config *Config) (*resources.Deployment, error)
 
 	switch config.OSType {
 	case constants.Target_Linux:
-		builder.BuildLinux(config.sshAuthorizedKey)
+		builder.BuildLinux(config.sshAuthorizedKey, config.Comm.SSHPassword == "") // if ssh password is not explicitly specified, disable password auth
 	case constants.Target_Windows:
 		osType = compute.Windows
 		builder.BuildWindows(config.tmpKeyVaultName, config.tmpWinRMCertificateUrl)
diff --git a/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json b/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json
index eb841ab4d..1b9d40d93 100644
--- a/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json
+++ b/builder/azure/arm/template_factory_test.TestPlanInfo01.approved.json
@@ -149,10 +149,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json b/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json
index 9a9f6e523..20eda3180 100644
--- a/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json
+++ b/builder/azure/arm/template_factory_test.TestPlanInfo02.approved.json
@@ -153,10 +153,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json
index 24d96726a..4c69b352a 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment04.approved.json
@@ -126,10 +126,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json
index 0f29794ce..74774714a 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment06.approved.json
@@ -141,10 +141,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json
index f411e5a6e..bd1445920 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment08.approved.json
@@ -126,10 +126,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json
index c330259ae..d87964955 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment10.approved.json
@@ -104,10 +104,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json
index 77c10f0af..c6addd27a 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment12.approved.json
@@ -126,10 +126,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json
index 1b80997a0..36182b82d 100644
--- a/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json
+++ b/builder/azure/arm/template_factory_test.TestVirtualMachineDeployment14.approved.json
@@ -127,10 +127,10 @@
           ]
         },
         "osProfile": {
-          "adminPassword": "[parameters('adminPassword')]",
           "adminUsername": "[parameters('adminUsername')]",
           "computerName": "[parameters('vmName')]",
           "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
diff --git a/builder/azure/arm/template_factory_test.go b/builder/azure/arm/template_factory_test.go
index 82b9b1cc9..f0e026a26 100644
--- a/builder/azure/arm/template_factory_test.go
+++ b/builder/azure/arm/template_factory_test.go
@@ -108,7 +108,10 @@ func TestVirtualMachineDeployment03(t *testing.T) {
 	m["image_version"] = "ImageVersion"
 
 	var c Config
-	c.Prepare(m, getPackerConfiguration())
+	_, err := c.Prepare(m, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
+	if err != nil {
+		t.Fatal(err)
+	}
 	deployment, err := GetVirtualMachineDeployment(&c)
 	if err != nil {
 		t.Fatal(err)
@@ -168,7 +171,7 @@ func TestVirtualMachineDeployment05(t *testing.T) {
 	}
 
 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -235,7 +238,7 @@ func TestVirtualMachineDeployment07(t *testing.T) {
 	}
 
 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -312,7 +315,7 @@ func TestVirtualMachineDeployment09(t *testing.T) {
 	}
 
 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -387,7 +390,7 @@ func TestVirtualMachineDeployment11(t *testing.T) {
 	}
 
 	var c Config
-	_, err := c.Prepare(config, getPackerConfiguration())
+	_, err := c.Prepare(config, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration())
 	if err != nil {
 		t.Fatal(err)
 	}