[BlueOnyx:17142] Re: Two small 5208R bugs - fixed

Michael Stauber mstauber at blueonyx.it
Thu Feb 26 12:03:01 -05 2015 

Hi Dan (and all),

> 1) PermitRootLogin is getting overwritten as the only option is yes
> or no.  We have SSH locked down to certain IP addresses via iptables
> and so allow root to login "without-password".  I'm sure you know
> that this  means root can only login with a key while stopping anyone
> from logging in as root with a password even if they have the right
> one.  We use this for a number of scripts which break every time we
> do an update :-)
> 
> 2)In the same vein /root/.bashrc is re-created each time we update.  We 
> have to remove the echo lines as rsync doesn't like it.  We are happy to 
> do it once to each box but it keeps coming back again on update.

I just published a fix for this for 5207R, 5208R and 5209R.

Here is how it works - just to make sure everyone understands it:

In /etc/ssh/sshd_config the option "PermitRootLogin" only has two
options (as far as the GUI is concerned): Yes or No.

This is toggled between "Yes" or "No" depending on what you have
configured in the GUI under "Server Management" / "Services" / "Shell"
at the option "SSH Root Login".

If you want to deny password authentication in SSH, then simply untick
the box "Password Authentication". As long as "Public Key
Authentication" is ticked, users with valid SSH keys/certificates can
still login.

Root can login with or without password and this is solely handled via
the checkbox for "SSH Root Login". If this is ticked, root can get in
via the configured methods (password or public key - or both).

If root has his SSH keys installed or has a PEM certificate, then he can
login (even without password), provided "Public Key Authentication" is
ticked. Regardless if "Password Authentication" is ticked or not.

So there is no need to manually edit /etc/ssh/sshd_config and to
manually set "PermitRootLogin" to anything else but "Yes" or "No". This
value is under management of the GUI handler/constructors and on each
CCEd restart will fall back in line with what is configured in the GUI.

Now on to /root/.bashrc: I modified the GUI handler so that the "To
configure your network settings ..." is only added to /root/.bashrc if
the following three conditions are all met:

1.) /root/network_settings.sh exists
2.) Initial web based setup of the box has NOT yet been completed.
3.) PermitRootLogin is (still) set to 'No'.

This makes sure that the echo lines with the network settings reminder
don't come back once you're past the initial setup.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list