From efc376963381e5157c218f84b97cb7cb40816872 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 17 Jul 2023 11:30:13 -0600
Subject: [PATCH] cherry-picked
 piercema/Malcolm@76fad17b9d920216a1554134807a418562aa71b5 and
 piercema/Malcolm@dd6bdf3bfe247e0491febde1c8beff197ccbd4ea for
 idaholab/Malcolm#158

---
 shared/bin/configure-interfaces.py     | 22 +++++++++++++++++--
 shared/bin/preseed_late_user_config.sh | 30 ++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py
index 2e71806c7..47cda9448 100755
--- a/shared/bin/configure-interfaces.py
+++ b/shared/bin/configure-interfaces.py
@@ -56,11 +56,14 @@ class Constants:
     TIME_SYNC_HTPDATE_COMMAND = '/usr/sbin/htpdate -4 -a -b -l -s'
     TIME_SYNC_NTP_CONFIG = '/etc/ntp.conf'
 
+    SSHD_CONFIG_FILE = "/etc/ssh/sshd_config"
+
     MSG_CONFIG_MODE = 'Configuration Mode'
     MSG_BACKGROUND_TITLE = 'Sensor Configuration'
     MSG_CONFIG_HOST = ('Hostname', 'Configure sensor hostname')
     MSG_CONFIG_INTERFACE = ('Interface', 'Configure an interface\'s IP address')
     MSG_CONFIG_TIME_SYNC = ('Time Sync', 'Configure time synchronization')
+    MSG_CONFIG_SSH = ('SSH Authentication', 'Configure SSH authentication')
     MSG_CONFIG_STATIC_TITLE = 'Provide the values for static IP configuration'
     MSG_ERR_ROOT_REQUIRED = 'Elevated privileges required, run as root'
     MSG_ERR_BAD_HOST = 'Invalid host or port'
@@ -82,7 +85,9 @@ class Constants:
     MSG_TESTING_CONNECTION_FAILURE = "Connection error: could not connect to {}:{}"
     MSG_SET_HOSTNAME_CURRENT = 'Current sensor identification information\n\n'
     MSG_SET_HOSTNAME_SUCCESS = 'Set sensor hostname successfully!\n\n'
+    MSG_CONFIG_SSH_SUCCESS = 'SSH authentication configured successfully!\n\n'
     MSG_IDENTIFY_NICS = 'Do you need help identifying network interfaces?'
+    MSG_SSH_PASSWORD_AUTH = 'Enable SSH Password Authentication?'
     MSG_SELECT_INTERFACE = 'Select interface to configure'
     MSG_SELECT_BLINK_INTERFACE = 'Select capture interface to identify'
     MSG_BLINK_INTERFACE = '{} will blink for {} seconds'
@@ -184,9 +189,9 @@ def main():
     except Exception:
         pass
     if installation == Constants.DEV_SENSOR:
-        modeChoices = [Constants.MSG_CONFIG_INTERFACE, Constants.MSG_CONFIG_HOST, Constants.MSG_CONFIG_TIME_SYNC]
+        modeChoices = [Constants.MSG_CONFIG_INTERFACE, Constants.MSG_CONFIG_HOST, Constants.MSG_CONFIG_TIME_SYNC, Constants.MSG_CONFIG_SSH]
     elif installation == Constants.DEV_AGGREGATOR:
-        modeChoices = [Constants.MSG_CONFIG_HOST, Constants.MSG_CONFIG_TIME_SYNC]
+        modeChoices = [Constants.MSG_CONFIG_HOST, Constants.MSG_CONFIG_TIME_SYNC, Constants.MSG_CONFIG_SSH]
     else:
         print(Constants.MSG_ERR_DEV_INVALID)
         sys.exit(1)
@@ -399,6 +404,19 @@ def main():
                 else:
                     raise CancelledError
 
+            elif config_mode == Constants.MSG_CONFIG_SSH[0]:
+                # configure SSH authentication options
+                code = d.yesno(Constants.MSG_CONFIG_SSH_SUCCESS)
+                if (code == Dialog.OK):
+                    password_re = re.compile(r'^\s*#*\s*PasswordAuthentication\s+(yes|no)')
+                    with fileinput.FileInput(Constants.SSHD_CONFIG_FILE, inplace=True, backup='.bak') as file:
+                        for line in file:
+                            if password_re.match(line):
+                                line = "PasswordAuthentication yes"
+                            print(line)
+                    # restart the ssh process
+                    run_subprocess('/bin/systemctl restart ssh')
+
             else:
                 # interface IP address configuration #################################################################################################
 
diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh
index da09537c7..06481b16b 100755
--- a/shared/bin/preseed_late_user_config.sh
+++ b/shared/bin/preseed_late_user_config.sh
@@ -52,6 +52,16 @@ Description:
 Template: malcolm/disable_ipv6_title
 Type: text
 Description: IPv6
+
+Template: malcolm/ssh_password_auth
+Type: boolean
+Default: false
+Description:
+ Allow SSH password authentication?
+
+Template: malcolm/ssh_password_auth_title
+Type: text
+Description: SSH Password Authentication
 !EOF!
 
 # load template
@@ -185,3 +195,23 @@ else
 fi
 
 echo "malcolm/dod_banner=$RET" >> /tmp/malcolm.answer
+
+# set title
+db_settitle malcolm/ssh_password_auth_title
+
+# prompt
+db_input critical malcolm/ssh_password_auth
+db_go
+
+# get answer to $RET
+db_get malcolm/ssh_password_auth
+
+if [ "$RET" = true ]; then
+  SSH_PASSWORD_AUTH = "yes"
+else
+  SSH_PASSWORD_AUTH = "no"
+fi
+
+sed -i "s/^[[:space:]]*#*[[:space:]]*PasswordAuthentication[[:space:]][[:space:]]*[[:alpha:]][[:alpha:]]*[[:space:]]*$/PasswordAuthentication $SSH_PASSWORD_AUTH/g" /etc/ssh/ssh_config 2>/dev/null || true
+
+echo "malcolm/ssh_password_auth=$RET" >> /tmp/malcolm.answer
\ No newline at end of file