From d1ee572c0237d917802e26383cc3945518497c42 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 27 Apr 2015 23:17:11 +0000 Subject: [PATCH] Rework sshd enable root login questions in light of sshd PermitRootLogin default change. The new default is not to ask to enable root logins when a non-root user has been addedi. There is some additional sublety for auto-installs that provide root ssh keys. patch by myself and rpe@ with feedback from sthen@; ok rpe@ deraadt@ sthen@ --- distrib/miniroot/install.sh | 3 ++- distrib/miniroot/install.sub | 34 +++++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/distrib/miniroot/install.sh b/distrib/miniroot/install.sh index 1a883ffa5bb..db0f3b54d4d 100644 --- a/distrib/miniroot/install.sh +++ b/distrib/miniroot/install.sh @@ -1,5 +1,5 @@ #!/bin/ksh -# $OpenBSD: install.sh,v 1.265 2015/04/13 21:27:07 deraadt Exp $ +# $OpenBSD: install.sh,v 1.266 2015/04/27 23:17:11 djm Exp $ # $NetBSD: install.sh,v 1.5.2.8 1996/08/27 18:15:05 gwr Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback @@ -95,6 +95,7 @@ questions # Gather information for setting up the initial user account. user_setup +ask_root_sshd # Set TZ variable based on zonefile and user selection. set_timezone /var/tzlist diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 6ba5855f980..16cd174853c 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,4 +1,4 @@ -# $OpenBSD: install.sub,v 1.833 2015/04/26 14:49:23 henning Exp $ +# $OpenBSD: install.sub,v 1.834 2015/04/27 23:17:11 djm Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer @@ -1576,12 +1576,22 @@ user_setup() { userkey= $AUTO && ask "Public ssh key for user $user" none && [[ $resp != none ]] && userkey=$resp +} - if [[ $sshd == y ]]; then - ask_yn "Since you set up a user, disable sshd(8) logins to root?" yes - sshd_disableroot=$resp +# Ask user whether or not to allow logins to root in case sshd(8) is enabled. +# If no user is setup, show a hint to enable root logins, but warn about risks +# of doing so. During autoinstall ask if a rootkey is provided, even if a user +# is setup. +ask_root_sshd() { + [[ $sshd == y ]] || return + if [[ -z $user ]]; then + echo "Since no user was setup, root logins via sshd(8) might be useful." + echo "WARNING: root accounts are often targets of password guessing attacks." + fi + if [[ -z $user || -n $rootkey ]]; then + ask_yn "Enable sshd(8) logins to root?" no + sshd_enableroot=$resp fi - } # Set TZ variable based on zonefile $1 and user selection. @@ -2007,12 +2017,18 @@ install_sets() { # Apply configuration settings based on the previously gathered information. apply() { - [[ $sshd == n ]] && echo "sshd_flags=NO" >>/mnt/etc/rc.conf.local - if [[ $sshd_disableroot == y ]]; then - sed "/^#\(PermitRootLogin\) yes/s//\1 no/" \ - < /mnt/etc/ssh/sshd_config >/tmp/sshd_config + local ssh_permitroot= + + if [[ $sshd == y && $sshd_enableroot == y ]]; then + ssh_permitroot=yes + [[ -n $rootkey ]] && ssh_permitroot=without-password + sed "/^#\(PermitRootLogin\) no/s//\1 $ssh_permitroot/" \ + /tmp/sshd_config cp /tmp/sshd_config /mnt/etc/ssh/sshd_config + else + echo "sshd_flags=NO" >>/mnt/etc/rc.conf.local fi + if [[ $ntpd == y ]]; then echo "ntpd_flags=" >>/mnt/etc/rc.conf.local [[ $ntpd_server == default ]] && ntpd_server=pool.ntp.org -- 2.20.1