1.54.0.sh,armbian.sh,build-SD-rpi.sh,install.sh,ncp.sh,SSH.sh: Do not…

… lock root or remove ability to SSH

bin/ncp/NETWORKING/SSH.sh

@@ -11,12 +11,6 @@
 install() {
   [ -n "${NOUPDATE}" ] || apt-get update
   apt-get install -y --no-install-recommends openssh-server
-  if grep '^PermitRootLogin' /etc/ssh/sshd_config
-  then
-    sed -i -e 's/^PermitRootLogin.*$/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
-  else
-    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config
-  fi
   systemctl reload ssh
  }
 
@@ -34,21 +28,6 @@ configure()
     return 0
   }
 
-  # Check for bad ideas
-  [[ "${USER,,}" == "pi" ]] && [[ "${PASS,,}" == "raspberry" ]] && {
-    echo "Refusing to use the default Raspbian user and password. It's insecure"
-    return 1
-  }
-  [[ "${USER,,}" == "root" ]] && {
-    echo "Refusing to use the root user for SSH. It's insecure"
-    return 1
-  }
-  # Disallow the webadmin to be used for SSH
-  [[ "${USER,,}" == "ncp" ]] && {
-    echo "The webadmin is not allowed to be used, pick another username"
-    return 1
-  }
-
   # --force: exit successfully if the group already exists
   groupadd --force ncp-ssh
 

build/armbian/armbian.sh

@@ -38,14 +38,10 @@ CODE_DIR="$(pwd)" DBG=x bash install.sh
 echo -e "\nPostinstall..."
 run_app_unsafe post-inst.sh
 
-# disable SSH by default, it can be enabled through ncp-web
-systemctl disable ssh
-
 # disable armbian autologin
 rm -f /etc/systemd/system/getty@.service.d/override.conf
 rm -f /etc/systemd/system/serial-getty@.service.d/override.conf
 rm -f /root/.not_logged_in_yet
-sed -i 's|^root::|root:x:|' /etc/passwd
 
 basename "$IMG" | tee /usr/local/etc/ncp-baseimage
 

build/build-SD-rpi.sh

@@ -76,9 +76,6 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
     apt-get install -y --no-install-recommends haveged
     systemctl enable haveged.service
 
-    # harden SSH further for Raspbian
-    sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config
-
     # cleanup
     source etc/library.sh && run_app_unsafe post-inst.sh
     rm /etc/resolv.conf

install.sh

@@ -28,17 +28,6 @@ export PATH="/usr/local/sbin:/usr/sbin:/sbin:${PATH}"
 type mysqld &>/dev/null && echo ">>> WARNING: existing mysqld configuration will be changed <<<"
 type mysqld &>/dev/null && mysql -e 'use nextcloud' &>/dev/null && { echo "The 'nextcloud' database already exists. Aborting"; exit 1; }
 
-[[ "$CI" == "true" ]] || {
-  echo "WARNING: This installer will disable SSH login for the root user and reset its password.
-If you need to login with root, you should make sure, you have a root session open that you can use,
-to revert these changes afterwards (set PermitRootLogin to 'yes' in /etc/ssh/sshd_config and run passwd as root)."
-  for i in {1..10}
-  do
-    echo "Continuing in $((30-(3*i)))s (press Ctrl+C to abort)..."
-    sleep 3
-  done
-}
-
 # get dependencies
 [ -n "${NOUPDATE}" ] || apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y git ca-certificates sudo lsb-release wget jq gnupg2

ncp.sh

@@ -81,10 +81,7 @@ EOF
   ## NCP USER FOR AUTHENTICATION
   id -u "$WEBADMIN" &>/dev/null || useradd --home-dir /nonexistent "$WEBADMIN"
   echo -e "$WEBPASSWD\n$WEBPASSWD" | passwd "$WEBADMIN"
-  is_docker || is_lxc || {
-    chsh -s /usr/sbin/nologin "$WEBADMIN"
-    passwd -l root
-  }
+  is_docker || is_lxc || chsh -s /usr/sbin/nologin "$WEBADMIN"
 
   ## NCP LAUNCHER
   mkdir -p /home/www

updates/1.54.0.sh

@@ -2,18 +2,10 @@
 
 set -e
 
-echo "Update root login prevention method..."
+echo "Update root shell..."
 if getent passwd "root" | grep -e '/usr/sbin/nologin'
 then
   sed -i '/^root/s|/usr/sbin/nologin|/bin/bash|' /etc/passwd
-  passwd -l root
-  if grep '^PermitRootLogin' /etc/ssh/sshd_config
-  then
-    sed -i -e 's/^PermitRootLogin.*$/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
-  else
-    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config
-  fi
-  systemctl reload ssh
 fi
 echo "done."