From db1b20b8932dcace69eb8cf4cbefbbebd04e5ba6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Aug 2017 14:24:45 +0200
Subject: [PATCH] openssh: feedback for #1750

Prodded by: @adschellevis
---
 src/etc/inc/filter.lib.inc            |  2 +-
 src/etc/inc/plugins.inc.d/openssh.inc | 27 +++++++++++++++------------
 src/etc/rc.livemode                   |  2 +-
 src/www/guiconfig.inc                 |  2 +-
 src/www/system_advanced_admin.php     |  4 ++--
 5 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 8082d3f1e..4ccfe32b6 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -71,7 +71,7 @@ function filter_core_antilockout_ports()
             $lockout_ports[] = "80";
         }
         if (isset($config['system']['ssh']['enabled']) ||
-            (is_install_media() && !isset($config['system']['ssh']) && is_process_running('sshd'))) {
+            (!isset($config['system']['ssh']['noauto']) && is_install_media() && is_process_running('sshd'))) {
             $lockout_ports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
         }
     }
diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc
index 1d8da2375..131b9f7c0 100644
--- a/src/etc/inc/plugins.inc.d/openssh.inc
+++ b/src/etc/inc/plugins.inc.d/openssh.inc
@@ -28,6 +28,12 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+function openssh_enabled()
+{
+    return isset($config['system']['ssh']['enabled']) ||
+        (!isset($config['system']['ssh']['noauto']) && is_install_media());
+}
+
 function openssh_configure()
 {
     return array(
@@ -42,8 +48,7 @@ function openssh_services()
 
     $services = array();
 
-    if (isset($config['system']['ssh']['enabled']) ||
-        (!isset($config['system']['ssh']) && is_install_media())) {
+    if (openssh_enabled()) {
         $pconfig = array();
         $pconfig['description'] = gettext('Secure Shell Daemon');
         $pconfig['configd']['restart'] = array('openssh restart');
@@ -66,13 +71,11 @@ function openssh_configure_do($verbose = false)
 
     $sshcfg = null;
 
-    if (isset($config['system']['ssh'])) {
-        if (isset($config['system']['ssh']['enabled'])) {
-            $sshcfg = $config['system']['ssh'];
-        }
-    } elseif (is_install_media()) {
+    if (!isset($config['system']['ssh']['noauto']) && is_install_media()) {
         /* only revert to installer config when ssh is not set at all */
         $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
+    } elseif (isset($config['system']['ssh']['enabled'])) {
+        $sshcfg = $config['system']['ssh'];
     }
 
     if ($sshcfg === null) {
@@ -114,15 +117,15 @@ function openssh_configure_do($verbose = false)
 
     if ($generate_keys) {
         if (is_subsystem_dirty('sshdkeys')) {
-        return;
+            return;
         }
         log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
         mark_subsystem_dirty('sshdkeys');
         foreach ($keys as $type => $name) {
-        $file = "/conf/sshd/{$name}";
-        @unlink("{$file}.pub");
-        @unlink($file);
-        mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
+            $file = "/conf/sshd/{$name}";
+            @unlink("{$file}.pub");
+            @unlink($file);
+            mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
         }
         clear_subsystem_dirty('sshdkeys');
         log_error('Completed creating your SSH keys. SSH will now be started.');
diff --git a/src/etc/rc.livemode b/src/etc/rc.livemode
index 9e7da92cb..aac8266e7 100755
--- a/src/etc/rc.livemode
+++ b/src/etc/rc.livemode
@@ -58,7 +58,7 @@ if (is_install_media()) {
 
         echo "\n";
 
-        if (!isset($config['system']['ssh']) && is_process_running('sshd')) {
+        if (!isset($config['system']['ssh']['noauto']) && is_process_running('sshd')) {
             echo "Welcome!  Both `root' and `installer' users are availabe for system\n";
             echo "setup or invoking the installer, respectively.  The predefined root\n";
             echo "password works for both accounts.  Remote login via SSH is possible.\n";
diff --git a/src/www/guiconfig.inc b/src/www/guiconfig.inc
index 468a6bfe1..abb6c8670 100644
--- a/src/www/guiconfig.inc
+++ b/src/www/guiconfig.inc
@@ -252,7 +252,7 @@ function print_service_banner($service)
             }
             print_alert_box(
                 gettext('You are currently running in LiveCD mode. A reboot will reset the configuration.') .' ' .
-                (!isset($config['system']['ssh']) && is_process_running('sshd') ?
+                (!isset($config['system']['ssh']['noauto']) && is_process_running('sshd') ?
                 gettext('SSH remote login is enabled for the users "root" and ' .
                 '"installer" using the same password.') : gettext('SSH remote login is disabled.'))
             );
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 4c3b9ee31..bdab19ecd 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -196,8 +196,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['webgui']['althostnames']);
         }
 
-        /* always store ssh setting to prevent install scenario */
-        $config['system']['ssh']['reserved'] = 1;
+        /* always store setting to prevent installer auto-start */
+        $config['system']['ssh']['noauto'] = 1;
 
         if (!empty($pconfig['enablesshd'])) {
             $config['system']['ssh']['enabled'] = 'enabled';