From ec515b52b681cd96bf51626bf899e3177bdbe3f3 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Sun, 24 Jan 2010 22:15:27 -0800
Subject: Fix allow-root for telnet/ssh

Bug 5252
The boot script needs to restore default settings, and the
templates are then used to enable root access.
---
 debian/vyatta-cfg-system.postinst.in         |  2 ++
 scripts/rl-system.init                       | 22 ++++++++++++++++------
 templates/service/ssh/allow-root/node.def    |  2 +-
 templates/service/telnet/allow-root/node.def |  2 +-
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1e77d69d..f06bfb50 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -45,6 +45,8 @@ if [ "$sysconfdir" != "/etc" ]; then
 
     # enable ssh banner
     sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
+    # make sure PermitRoot is off
+    sed -i '/^PermitRootLogin/s/yes/no' /etc/ssh/sshd_config
 
     # for "admin" level
     sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
diff --git a/scripts/rl-system.init b/scripts/rl-system.init
index 09d4509e..960674d8 100755
--- a/scripts/rl-system.init
+++ b/scripts/rl-system.init
@@ -165,11 +165,21 @@ setup_ntp_config_file () {
     fi
 }
 
-# restore PAM back to virgin state (no radius other services)
-pam_reset () {
-    if grep -q radius /etc/pam.d/common-auth
-    then pam-auth-update --remove radius
-    fi
+
+# These are all the default security setting which are later
+# overridden when configuration is read. These are the values the
+# system defaults.
+security_reset () {
+   # restore PAM back to virgin state (no radius other services)
+   if grep -q radius /etc/pam.d/common-auth
+   then pam-auth-update --remove radius
+   fi
+
+   # Disable root login with ssh
+   sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+
+   # Disable root login over telnet
+   sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty
 }
 
 start () {
@@ -183,7 +193,7 @@ start () {
 	log_failure_msg "can\'t add serial interfaces"
 
     set_ipv6_params
-    pam_reset
+    security_reset
 
     update_version_info
 
diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def
index 1c56d221..c1e6abf2 100644
--- a/templates/service/ssh/allow-root/node.def
+++ b/templates/service/ssh/allow-root/node.def
@@ -1,5 +1,5 @@
 help: Enable root login over ssh
 
-update: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config
+create: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config
 
 delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def
index 01c8bd0f..39c78062 100644
--- a/templates/service/telnet/allow-root/node.def
+++ b/templates/service/telnet/allow-root/node.def
@@ -1,3 +1,3 @@
 help: Enable root login over telnet
-update: /opt/vyatta/sbin/vyatta_update_telnet allow-root true
+create: /opt/vyatta/sbin/vyatta_update_telnet allow-root true
 delete:/opt/vyatta/sbin/vyatta_update_telnet allow-root false
-- 
cgit v1.2.3