Restore add_permitrootlogin_conf functionality

Monstrofil · Monstrofil · commit c0aa6bb2a716 · 2024-08-22T12:00:02.000+03:00
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
@@ -1,7 +1,7 @@
 from leapp import reporting
 from leapp.actors import Actor
 from leapp.exceptions import StopActorExecutionError
-from leapp.libraries.actor.opensshpermitrootlogincheck import global_value, semantics_changes
+from leapp.libraries.actor.opensshpermitrootlogincheck import global_value, semantics_changes, add_permitrootlogin_conf
 from leapp.libraries.common.config.version import get_source_major_version
 from leapp.libraries.stdlib import api
 from leapp.models import OpenSshConfig, Report
@@ -64,25 +64,29 @@ def process7to8(self, config):
         # the configuration file was locally modified, it will not get updated by
         # RPM and the user might be locked away from the server with new default
         if not config.permit_root_login:
+            add_permitrootlogin_conf()
             create_report([
-                reporting.Title('Possible problems with remote login using root account'),
-                reporting.Summary(
-                    'OpenSSH configuration file does not explicitly state '
-                    'the option PermitRootLogin in sshd_config file, '
-                    'which will default in RHEL8 to "prohibit-password".'
-                ),
-                reporting.Severity(reporting.Severity.HIGH),
-                reporting.Groups(COMMON_REPORT_TAGS),
-                reporting.Remediation(
-                    hint='If you depend on remote root logins using passwords, consider '
-                         'setting up a different user for remote administration or adding '
-                         '"PermitRootLogin yes" to sshd_config. '
-                         'If this change is ok for you, add explicit '
-                         '"PermitRootLogin prohibit-password" to your sshd_config '
-                         'to ignore this inhibitor'
-                ),
-                reporting.Groups([reporting.Groups.INHIBITOR])
-            ] + COMMON_RESOURCES)
+            reporting.Title('SSH configuration automatically modified to permit root login'),
+            reporting.Summary(
+                'Your OpenSSH configuration file does not explicitly state '
+                'the option PermitRootLogin in sshd_config file. '
+                'Its default is "yes" in RHEL7, but will change in '
+                'RHEL8 to "prohibit-password", which may affect your ability '
+                'to log onto this machine after the upgrade. '
+                'To prevent this from occuring, the PermitRootLogin option '
+                'has been explicity set to "yes" to preserve the default behaivour '
+                'after migration. '
+                'The original configuration file has been backed up to '
+                '/etc/ssh/sshd_config.leapp_backup'
+            ),
+            reporting.Severity(reporting.Severity.MEDIUM),
+            reporting.Groups(COMMON_REPORT_TAGS),
+            reporting.Remediation(
+              hint='If you would prefer to configure the root login policy yourself, '
+                   'consider setting the PermitRootLogin option '
+                   'in sshd_config explicitly.'
+            )
+            ] + resources)
             return
 
         # Check if there is at least one PermitRootLogin other than "no"
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
@@ -41,3 +41,29 @@ def semantics_changes(config):
             in_match_enabled = True
 
     return config_global_value is None and not in_match_enabled
+
+def add_permitrootlogin_conf():
+    CONFIG = '/etc/ssh/sshd_config'
+    CONFIG_BACKUP = '/etc/ssh/sshd_config.leapp_backup'
+    try:
+        with open(CONFIG, 'r') as fd:
+            sshd_config = fd.readlines()
+
+            permit_autoconf = [
+                "# Automatically added by Leapp to preserve RHEL7 default\n",
+                "# behavior after migration.\n",
+                "# Placed on top of the file to avoid being included into Match blocks.\n",
+                "PermitRootLogin yes\n"
+                "\n",
+            ]
+            permit_autoconf.extend(sshd_config)
+        with open(CONFIG, 'w') as fd:
+            fd.writelines(permit_autoconf)
+        with open(CONFIG_BACKUP, 'w') as fd:
+            fd.writelines(sshd_config)
+
+    except IOError as err:
+        if err.errno != errno.ENOENT:
+            error = 'Failed to open sshd_config: {}'.format(str(err))
+            api.current_logger().error(error)
+        return
