From 05800c2a21956ac5d2f185f430c95e0731f2ff5b Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Sun, 5 Apr 2026 16:11:17 +0200
Subject: [PATCH] OP#561 add root login

---
 manifests/main/files.pp        |  7 +++++++
 manifests/params.pp            | 19 +++++++++++--------
 templates/sshd_custom_conf.erb |  4 +++-
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index de10f4f..118cf09 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -35,5 +35,12 @@ class confdroid_ssh::main::files (
       content  => template($sshd_custom_erb),
       notify   => Service[$sshd_service],
     }
+    # we want the default root login setting to be managed by the custom conf, 
+    # so we remove the default file if it exists
+    file { $sshd_root_login_file:
+      ensure => absent,
+      path   => $sshd_root_login_file,
+      notify => Service[$sshd_service],
+    }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index a616ae8..484747d 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -11,6 +11,7 @@
 # @param [Boolean] ssh_manage_config whether to manage the configuration
 # @param [String] ssh_address_family AddressFamily setting for sshd_config
 # @param [String] ssh_listen_address ListenAddress setting for sshd_config
+# @param [String] ssh_root_login PermitRootLogin setting for sshd_config
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -27,6 +28,7 @@ class confdroid_ssh::params (
   Boolean $ssh_manage_config  = true,
   String  $ssh_address_family = 'any',
   String  $ssh_listen_address = '0.0.0.0',
+  String  $ssh_root_login     = 'prohibit-password',
 
 ) {
 # default facts
@@ -36,14 +38,15 @@ class confdroid_ssh::params (
   $os_name                  = $facts['os']['name']
   $os_release               = $facts['os']['release']['major']
 
-  $sshd_user          = 'root'
-  $ssh_etc_path       = '/etc/ssh'
-  $sshd_service       = 'sshd'
-  $sshd_config_path   = "${ssh_etc_path}/sshd_config"
-  $sshd_custom_path   = "${ssh_etc_path}/sshd_config.d"
-  $sshd_custom_conf   = "${sshd_custom_path}/10-custom.conf"
-  $sshd_custom_erb    = 'confdroid_ssh/sshd_custom_conf.erb'
-  $sshd_config_erb    = 'confdroid_ssh/sshd_config.erb'
+  $sshd_user                = 'root'
+  $ssh_etc_path             = '/etc/ssh'
+  $sshd_service             = 'sshd'
+  $sshd_config_path         = "${ssh_etc_path}/sshd_config"
+  $sshd_custom_path         = "${ssh_etc_path}/sshd_config.d"
+  $sshd_custom_conf         = "${sshd_custom_path}/10-custom.conf"
+  $sshd_custom_erb          = 'confdroid_ssh/sshd_custom_conf.erb'
+  $sshd_config_erb          = 'confdroid_ssh/sshd_config.erb'
+  $sshd_root_login_file     = "${sshd_custom_path}/01-permitrootlogin.conf"
 
   # includes must be last
   include confdroid_ssh::main::config
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 1f9e222..09ff526 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -7,4 +7,6 @@
 
 Port <%= @ssh_fw_port %>
 AddressFamily <%= @ssh_address_family %>
-ListenAddress <%= @ssh_listen_address %> 
\ No newline at end of file
+ListenAddress <%= @ssh_listen_address %> 
+
+PermitRootLogin <%= @ssh_root_login %>
\ No newline at end of file