From 27347f7342a561dedcbe6d9e702be5f780b9e0d7 Mon Sep 17 00:00:00 2001
From: Alexis Ben Miloud--Josselin <abenmiloud+git@evolix.fr>
Date: Wed, 29 Nov 2023 17:44:06 +0100
Subject: [PATCH] check_sshpermitrootno: Always specify lport

When sshd listens two ports (usually 22 and another one), the sshd
-T command will fail if lport is not specified.

This commit also simplifies the if-elif block.
---
 linux/evocheck.sh | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/linux/evocheck.sh b/linux/evocheck.sh
index 741f6a8..132a552 100755
--- a/linux/evocheck.sh
+++ b/linux/evocheck.sh
@@ -1201,16 +1201,10 @@ check_usrsharescripts() {
     test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    sshd_args="-C addr=,user=,host=,laddr=,lport=0"
-    if is_debian_stretch; then
-        # Noop, we'll use the default $sshd_args
-        :
-    elif is_debian_buster; then
+    # You could change the SSH port in /etc/evocheck.cf
+    sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}"
+    if is_debian_buster; then
         sshd_args="${sshd_args},rdomain="
-    else
-        # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
-        # -T doesn't require the additional -C.
-        sshd_args=
     fi
     # shellcheck disable=SC2086
     if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then