Disable root autologin on VCP nodes
Related-Bug: PROD-18585 (PROD:18585)
Change-Id: I7c0cf694c8f2334e41b735777e0d36d7c662ddec
diff --git a/common/ubuntu_security.sh b/common/ubuntu_security.sh
index 8a0b12b..ab54be9 100644
--- a/common/ubuntu_security.sh
+++ b/common/ubuntu_security.sh
@@ -1,12 +1,17 @@
#!/bin/bash -xe
-# Auto login root on tty1
-sed 's|/sbin/agetty|/sbin/agetty --autologin root|g' /etc/systemd/system/getty.target.wants/getty@tty1.service > /etc/systemd/system/getty-autologin@.service
-systemctl daemon-reload
-systemctl disable getty@tty1.service
-systemctl enable getty-autologin@tty1.service
+
+ROOT_AUTOLOGIN=""
+if [ "$(hostname)" != "ubuntu" ]; then
+ # Auto login root on tty1
+ sed 's|/sbin/agetty|/sbin/agetty --autologin root|g' /etc/systemd/system/getty.target.wants/getty@tty1.service > /etc/systemd/system/getty-autologin@.service
+ systemctl daemon-reload
+ systemctl disable getty@tty1.service
+ systemctl enable getty-autologin@tty1.service
+ ROOT_AUTOLOGIN="--autologin root"
+fi
# Libvirt serial console support
-cat << 'EOF' >> /etc/systemd/system/serial-getty@.service
+cat << EOF >> /etc/systemd/system/serial-getty@.service
[Unit]
Description=Getty on %I
Documentation=man:agetty(8) man:systemd-getty-generator(8)
@@ -20,7 +25,7 @@
ConditionPathExists=/dev/ttyS0
[Service]
-ExecStart=-/sbin/agetty --autologin root -8 --noclear %I 115200 $TERM
+ExecStart=-/sbin/agetty ${ROOT_AUTOLOGIN} -8 --noclear %I 115200 \$TERM
Type=idle
Restart=always
RestartSec=0
@@ -48,4 +53,4 @@
# Disable SSH password authentication and permit root login
sed -i 's|[#]*PasswordAuthentication yes|PasswordAuthentication no|g' /etc/ssh/sshd_config
-sed -i 's|[#]*PermitRootLogin no|PermitRootLogin yes|g' /etc/ssh/sshd_config
+sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin no|g' /etc/ssh/sshd_config