From 4344b2eae08d58095d22d1b08894a49b5e3fb9d5 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Wed, 12 Dec 2018 18:28:20 -0600
Subject: [PATCH] Tweak how we lock down SSH config

hopefully avoids some logic gaps where lock-down didn't happen
---
 rattail_fabric/ssh.py | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/rattail_fabric/ssh.py b/rattail_fabric/ssh.py
index feaab86..cc8d4e5 100644
--- a/rattail_fabric/ssh.py
+++ b/rattail_fabric/ssh.py
@@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
 import warnings
 
 from fabric.api import sudo, cd, settings
-from fabric.contrib.files import exists, sed, append
+from fabric.contrib.files import exists, sed
 
 from rattail_fabric import mkdir, agent_sudo
 from rattail_fabric.python import cdvirtualenv
@@ -70,15 +70,14 @@ def configure(allow_root=False):
     """
     Configure the OpenSSH service
     """
-    path = '/etc/ssh/sshd_config'
+    # PermitRootLogin no (or without-password)
+    value = 'without-password' if allow_root else 'no'
+    sed('/etc/ssh/sshd_config', r'^#?PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
+    sed('/etc/ssh/sshd_config', r'^PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
 
-    entry = 'PermitRootLogin {}'.format('without-password' if allow_root else 'no')
-    sed(path, r'^PermitRootLogin\s+.*', entry, use_sudo=True)
-    append(path, entry, use_sudo=True)
-
-    entry = 'PasswordAuthentication no'
-    sed(path, r'^PasswordAuthentication\s+.*', entry, use_sudo=True)
-    append(path, entry, use_sudo=True)
+    # PasswordAuthentication no
+    sed('/etc/ssh/sshd_config', r'^#?PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
+    sed('/etc/ssh/sshd_config', r'^PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
 
     restart()