check_sshpermitrootno: Always specify lport

When sshd listens two ports (usually 22 and another one), the sshd -T command will fail if lport is not specified. This commit also simplifies the if-elif block.
2023-11-29 17:44:06 +01:00 · 2023-11-29 17:44:06 +01:00 · 27347f7342
parent e27bb4124b
commit 27347f7342
1 changed files with 3 additions and 9 deletions
--- a/linux/evocheck.sh
+++ b/linux/evocheck.sh
@ -1201,16 +1201,10 @@ check_usrsharescripts() {
    test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    sshd_args="-C addr=,user=,host=,laddr=,lport=0"
-    if is_debian_stretch; then
-        # Noop, we'll use the default $sshd_args
-        :
-    elif is_debian_buster; then
+    # You could change the SSH port in /etc/evocheck.cf
+    sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}"
+    if is_debian_buster; then
        sshd_args="${sshd_args},rdomain="
-    else
-        # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
-        # -T doesn't require the additional -C.
-        sshd_args=
    fi
    # shellcheck disable=SC2086
    if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then