summaryrefslogtreecommitdiff
path: root/distrib/miniroot/install.sub
diff options
context:
space:
mode:
authorRobert Peichaer <rpe@cvs.openbsd.org>2015-07-30 19:40:33 +0000
committerRobert Peichaer <rpe@cvs.openbsd.org>2015-07-30 19:40:33 +0000
commitdc42048c923259322fef12c74fa88d6cf5562ff1 (patch)
treea427e94d09b0ca2618ea1cd38d85b8b4a3bb0487 /distrib/miniroot/install.sub
parentb8fd92cd6eba94e3297db705bf55baf10660a39b (diff)
Change installer to cope with the new sshd_config(5) default for
the PermitRootLogin option. Additionally to 'yes' and 'no' allow 'without-password' and make that the proposed default answer for the "Allow root ssh login?" question. Modify sshd_config only if the user choice is not the default. OK deraadt discussed with halex@, sthen@ and others
Diffstat (limited to 'distrib/miniroot/install.sub')
-rw-r--r--distrib/miniroot/install.sub35
1 files changed, 21 insertions, 14 deletions
diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub
index 7b9882d3fe4..4a0a5a4b302 100644
--- a/distrib/miniroot/install.sub
+++ b/distrib/miniroot/install.sub
@@ -1,4 +1,4 @@
-# $OpenBSD: install.sub,v 1.849 2015/07/20 01:12:49 rpe Exp $
+# $OpenBSD: install.sub,v 1.850 2015/07/30 19:40:32 rpe Exp $
#
# Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
# Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org>
@@ -1631,18 +1631,23 @@ user_setup() {
# Ask user whether or not to allow logins to root in case sshd(8) is enabled.
# If no user is setup, show a hint to enable root logins, but warn about risks
-# of doing so. During autoinstall ask if a rootkey is provided, even if a user
-# is setup.
+# of doing so.
ask_root_sshd() {
[[ $sshd == y ]] || return
if [[ -z $user ]]; then
echo "Since no user was setup, root logins via sshd(8) might be useful."
echo "WARNING: root accounts are often targets of password guessing attacks."
fi
- if [[ -z $user || -n $rootkey ]]; then
- ask_yn "Enable sshd(8) logins to root?" no
- sshd_enableroot=$resp
- fi
+ while :; do
+ ask "Allow root ssh login? (yes, no, without-password)" without-password
+ case $resp in
+ [yY]*) sshd_enableroot=yes;;
+ [nN]*) sshd_enableroot=no;;
+ [wW]*) sshd_enableroot=without-password;;
+ *) $AUTO && exit 1 || continue;;
+ esac
+ return
+ done
}
# Set TZ variable based on zonefile $1 and user selection.
@@ -2078,16 +2083,18 @@ install_sets() {
# Apply configuration settings based on the previously gathered information.
apply() {
- local ssh_permitroot=
+ local _sshd_default
if [[ $sshd == n ]]; then
echo "sshd_flags=NO" >>/mnt/etc/rc.conf.local
- elif [[ $sshd_enableroot == y ]]; then
- ssh_permitroot=yes
- [[ -n $rootkey ]] && ssh_permitroot=without-password
- sed "/^#\(PermitRootLogin\) no/s//\1 $ssh_permitroot/" \
- </mnt/etc/ssh/sshd_config >/tmp/sshd_config
- cp /tmp/sshd_config /mnt/etc/ssh/sshd_config
+ elif [[ -n $sshd_enableroot ]]; then
+ _sshd_default=$(sed -n '/^#PermitRootLogin \(.*\)$/s//\1/p' \
+ /mnt/etc/ssh/sshd_config)
+ # Only change sshd_config if the user choice is not the default.
+ if [[ $sshd_enableroot != $_sshd_default ]]; then
+ sed -i "/^#\(PermitRootLogin\) .*$/s//\1 $sshd_enableroot/" \
+ /mnt/etc/ssh/sshd_config
+ fi
fi
[[ -n $aperture ]] &&