diff options
| author | Robert Peichaer <rpe@cvs.openbsd.org> | 2015-07-30 19:40:33 +0000 |
|---|---|---|
| committer | Robert Peichaer <rpe@cvs.openbsd.org> | 2015-07-30 19:40:33 +0000 |
| commit | dc42048c923259322fef12c74fa88d6cf5562ff1 (patch) | |
| tree | a427e94d09b0ca2618ea1cd38d85b8b4a3bb0487 /distrib | |
| parent | b8fd92cd6eba94e3297db705bf55baf10660a39b (diff) | |
Change installer to cope with the new sshd_config(5) default for
the PermitRootLogin option. Additionally to 'yes' and 'no' allow
'without-password' and make that the proposed default answer for
the "Allow root ssh login?" question. Modify sshd_config only if
the user choice is not the default.
OK deraadt
discussed with halex@, sthen@ and others
Diffstat (limited to 'distrib')
| -rw-r--r-- | distrib/miniroot/install.sub | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 7b9882d3fe4..4a0a5a4b302 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,4 +1,4 @@ -# $OpenBSD: install.sub,v 1.849 2015/07/20 01:12:49 rpe Exp $ +# $OpenBSD: install.sub,v 1.850 2015/07/30 19:40:32 rpe Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org> @@ -1631,18 +1631,23 @@ user_setup() { # Ask user whether or not to allow logins to root in case sshd(8) is enabled. # If no user is setup, show a hint to enable root logins, but warn about risks -# of doing so. During autoinstall ask if a rootkey is provided, even if a user -# is setup. +# of doing so. ask_root_sshd() { [[ $sshd == y ]] || return if [[ -z $user ]]; then echo "Since no user was setup, root logins via sshd(8) might be useful." echo "WARNING: root accounts are often targets of password guessing attacks." fi - if [[ -z $user || -n $rootkey ]]; then - ask_yn "Enable sshd(8) logins to root?" no - sshd_enableroot=$resp - fi + while :; do + ask "Allow root ssh login? (yes, no, without-password)" without-password + case $resp in + [yY]*) sshd_enableroot=yes;; + [nN]*) sshd_enableroot=no;; + [wW]*) sshd_enableroot=without-password;; + *) $AUTO && exit 1 || continue;; + esac + return + done } # Set TZ variable based on zonefile $1 and user selection. @@ -2078,16 +2083,18 @@ install_sets() { # Apply configuration settings based on the previously gathered information. apply() { - local ssh_permitroot= + local _sshd_default if [[ $sshd == n ]]; then echo "sshd_flags=NO" >>/mnt/etc/rc.conf.local - elif [[ $sshd_enableroot == y ]]; then - ssh_permitroot=yes - [[ -n $rootkey ]] && ssh_permitroot=without-password - sed "/^#\(PermitRootLogin\) no/s//\1 $ssh_permitroot/" \ - </mnt/etc/ssh/sshd_config >/tmp/sshd_config - cp /tmp/sshd_config /mnt/etc/ssh/sshd_config + elif [[ -n $sshd_enableroot ]]; then + _sshd_default=$(sed -n '/^#PermitRootLogin \(.*\)$/s//\1/p' \ + /mnt/etc/ssh/sshd_config) + # Only change sshd_config if the user choice is not the default. + if [[ $sshd_enableroot != $_sshd_default ]]; then + sed -i "/^#\(PermitRootLogin\) .*$/s//\1 $sshd_enableroot/" \ + /mnt/etc/ssh/sshd_config + fi fi [[ -n $aperture ]] && |