Tweak how we lock down SSH config

hopefully avoids some logic gaps where lock-down didn't happen

rattail_fabric/ssh.py

@@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
 import warnings
 
 from fabric.api import sudo, cd, settings
-from fabric.contrib.files import exists, sed, append
+from fabric.contrib.files import exists, sed
 
 from rattail_fabric import mkdir, agent_sudo
 from rattail_fabric.python import cdvirtualenv
@@ -70,15 +70,14 @@ def configure(allow_root=False):
     """
     Configure the OpenSSH service
     """
-    path = '/etc/ssh/sshd_config'
+    # PermitRootLogin no (or without-password)
+    value = 'without-password' if allow_root else 'no'
+    sed('/etc/ssh/sshd_config', r'^#?PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
+    sed('/etc/ssh/sshd_config', r'^PermitRootLogin .*', 'PermitRootLogin {}'.format(value), use_sudo=True)
 
-    entry = 'PermitRootLogin {}'.format('without-password' if allow_root else 'no')
+    # PasswordAuthentication no
-    sed(path, r'^PermitRootLogin\s+.*', entry, use_sudo=True)
+    sed('/etc/ssh/sshd_config', r'^#?PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
-    append(path, entry, use_sudo=True)
+    sed('/etc/ssh/sshd_config', r'^PasswordAuthentication .*', 'PasswordAuthentication no', use_sudo=True)
-
-    entry = 'PasswordAuthentication no'
-    sed(path, r'^PasswordAuthentication\s+.*', entry, use_sudo=True)
-    append(path, entry, use_sudo=True)
 
     restart()