From cfe9cceb6a27142c7408c55fcc5f9c8b3b4a8bdf Mon Sep 17 00:00:00 2001
From: Michael Prokop <mprokop@sipwise.com>
Date: Thu, 17 Oct 2024 13:21:01 +0200
Subject: [PATCH] MT#61271 trixie: adjust sshd_config after system is installed

If we set up /etc/ssh/sshd_config early in early system deployment, we
end up with an empty /etc/ssh/sshd_config configuration file with only
our own changes:

| root@spce:~# cat /etc/ssh/sshd_config
| # added by deployment.sh
| PerSourcePenalties no
| # end of deployment.sh changes
| ### Added by ngcp-installer
| PermitRootLogin yes

The other defaults of sshd are OK for us, but for automated SSH logins
we also need:

  AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/sipwise_vagrant_key

And for SCP-ing files we also need:

  Subsystem sftp /usr/lib/openssh/sftp-server

Otherwise our Jenkins job fail due to failing ssh/scp actions.

So instead move our trixie specific code in deployment.sh for adjusting
/etc/ssh/sshd_config to be executed *after* installing base system. Then
the openssh-server package sets up /etc/ssh/sshd_config as expected, and
we only extend its configuration then. While at it, explicitly mark
beginning and end of our changes.

Change-Id: I68a235b55e9cf18c39e9034b7f3b2ed0ffd237f0
---
 templates/scripts/includes/deployment.sh | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/templates/scripts/includes/deployment.sh b/templates/scripts/includes/deployment.sh
index b1bb5c3..5129158 100755
--- a/templates/scripts/includes/deployment.sh
+++ b/templates/scripts/includes/deployment.sh
@@ -2216,15 +2216,6 @@ case "${DEBIAN_RELEASE}" in
     ;;
 esac
 
-# MT#61265 avoid "penalty: failed authentication" in automated SSH/SCP actions in Jenkins jobs
-case "${DEBIAN_RELEASE}" in
-  trixie)
-    echo "Disabling PerSourcePenalties in /etc/ssh/sshd_config for Debian release '${DEBIAN_RELEASE}'"
-    echo '# added by deployment.sh' >> "${TARGET}"/etc/ssh/sshd_config
-    echo 'PerSourcePenalties no'    >> "${TARGET}"/etc/ssh/sshd_config
-    ;;
-esac
-
 # MT#7805
 if "$NGCP_INSTALLER" ; then
   cat << EOT | augtool --root="$TARGET"
@@ -2423,6 +2414,19 @@ EOT
   grml-chroot "${TARGET}" /bin/bash /tmp/retrieve_authorized_keys.sh
 fi
 
+# MT#61265 avoid "penalty: failed authentication" in automated SSH/SCP actions in Jenkins jobs
+case "${DEBIAN_RELEASE}" in
+  trixie)
+    echo "Adjusting /etc/ssh/sshd_config for Debian release '${DEBIAN_RELEASE}'"
+    echo '# added by deployment.sh' >> "${TARGET}"/etc/ssh/sshd_config
+
+    echo "Disabling PerSourcePenalties in /etc/ssh/sshd_config"
+    echo 'PerSourcePenalties no'    >> "${TARGET}"/etc/ssh/sshd_config
+
+    echo '# end of deployment.sh changes' >> "${TARGET}"/etc/ssh/sshd_config
+    ;;
+esac
+
 if "$VAGRANT" ; then
   echo "Bootoption vagrant present, executing vagrant_configuration."
   vagrant_configuration