From e38aa5636f9da13764078dd4023454f8c2c986f1 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Wed, 16 Jun 2021 15:41:12 +0200
Subject: [PATCH] sshpermitrootno: Use effective configuration.

Fixes #129.
---
 evocheck.sh | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/evocheck.sh b/evocheck.sh
index 6bba06c..21672f2 100755
--- a/evocheck.sh
+++ b/evocheck.sh
@@ -1217,14 +1217,20 @@ check_usrsharescripts() {
     test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
-            grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
-                || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
-        fi
+    sshd_args="-C addr=,user=,host=,laddr=,lport=0"
+    if is_debian_jessie || is_debian_stretch; then
+	# Noop, we'll use the default $sshd_args
+        :
+    elif is_debian_buster; then
+	sshd_args="${sshd_args},rdomain="
     else
-        grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
-            || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
+	# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
+        # -T doesn't require the additional -C.
+	sshd_args=
+    fi
+    # XXX: We want parameter expension here
+    if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
+       failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
     fi
 }
 check_evomaintenanceusers() {