From ec515b52b681cd96bf51626bf899e3177bdbe3f3 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Sun, 24 Jan 2010 22:15:27 -0800
Subject: Fix allow-root for telnet/ssh

Bug 5252
The boot script needs to restore default settings, and the
templates are then used to enable root access.
---
 scripts/rl-system.init | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'scripts')

diff --git a/scripts/rl-system.init b/scripts/rl-system.init
index 09d4509e..960674d8 100755
--- a/scripts/rl-system.init
+++ b/scripts/rl-system.init
@@ -165,11 +165,21 @@ setup_ntp_config_file () {
     fi
 }
 
-# restore PAM back to virgin state (no radius other services)
-pam_reset () {
-    if grep -q radius /etc/pam.d/common-auth
-    then pam-auth-update --remove radius
-    fi
+
+# These are all the default security setting which are later
+# overridden when configuration is read. These are the values the
+# system defaults.
+security_reset () {
+   # restore PAM back to virgin state (no radius other services)
+   if grep -q radius /etc/pam.d/common-auth
+   then pam-auth-update --remove radius
+   fi
+
+   # Disable root login with ssh
+   sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+
+   # Disable root login over telnet
+   sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty
 }
 
 start () {
@@ -183,7 +193,7 @@ start () {
 	log_failure_msg "can\'t add serial interfaces"
 
     set_ipv6_params
-    pam_reset
+    security_reset
 
     update_version_info
 
-- 
cgit v1.2.3