From 52b53064ae9100cf67409a4bb0130f613629f5bf Mon Sep 17 00:00:00 2001
From: Michael Prokop <mika@grml.org>
Date: Fri, 12 May 2017 16:11:41 +0200
Subject: [PATCH] GRMLBASE/49-sshd: ensure that login as root via password
 works again

openssh defaults to "prohibit-password" since openssh-server v1:7.1p1-1,
breaking our existing change regarding without-password.

While at it also improve the script to not readd the PermitRootLogin
and UseDNS configs with every single run, instead check for our
own modifications and skip them in further runs.

Closes grml/grml#12
---
 etc/grml/fai/config/scripts/GRMLBASE/49-sshd | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/etc/grml/fai/config/scripts/GRMLBASE/49-sshd b/etc/grml/fai/config/scripts/GRMLBASE/49-sshd
index 9f0a824..f2d40ed 100755
--- a/etc/grml/fai/config/scripts/GRMLBASE/49-sshd
+++ b/etc/grml/fai/config/scripts/GRMLBASE/49-sshd
@@ -15,11 +15,23 @@ if ! [ -r "${target}/etc/ssh/sshd_config" ] ; then
 fi
 
 # make sure root login works, it's set to "without-password" since openssh-server v1:6.6p1-1
-sed -i "s/^\(PermitRootLogin without-password\)/# \1 # disabled via grml-live\nPermitRootLogin yes/" "${target}/etc/ssh/sshd_config"
+# and defaults to "prohibit-password" since openssh-server v1:7.1p1-1
+if grep -q '^PermitRootLogin ' "${target}/etc/ssh/sshd_config" ; then
+  # make sure we don't modify our own disabled snippet once again
+  if ! grep -q 'PermitRootLogin .*disabled via grml-live' "${target}/etc/ssh/sshd_config" ; then
+    sed -i "s/^\(PermitRootLogin .*\)/# \1 # disabled via grml-live\nPermitRootLogin yes/" "${target}/etc/ssh/sshd_config"
+  fi
+else
+  echo "# Added via grml-live script:" >> "${target}/etc/ssh/sshd_config"
+  echo "PermitRootLogin yes" >> "${target}/etc/ssh/sshd_config"
+fi
 
 # speedup if DNS is broken/unavailable
-if grep -q '^UseDNS' "${target}/etc/ssh/sshd_config" ; then
-  sed -i "s/^\(UseDNS yes\)/# \1 # disabled via grml-live\nUseDNS no/" "${target}/etc/ssh/sshd_config"
+if grep -q '^UseDNS ' "${target}/etc/ssh/sshd_config" ; then
+  # make sure we don't modify our own disabled snippet once again
+  if ! grep -q 'UseDNS .*disabled via grml-live' "${target}/etc/ssh/sshd_config" ; then
+    sed -i "s/^\(UseDNS .*\)/# \1 # disabled via grml-live\nUseDNS no/" "${target}/etc/ssh/sshd_config"
+  fi
 else
   echo "# Added via grml-live script:" >> "${target}/etc/ssh/sshd_config"
   echo "UseDNS no" >> "${target}/etc/ssh/sshd_config"
-- 
2.1.4