leapp-repository/SOURCES/0022-Improve-remediation-do-not-trigger-second-inhibitor.patch

From 32605051864e5e7ba16e7582d1a75459c826ef59 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 5 May 2022 20:08:59 +0200
Subject: [PATCH 22/39] Improve remediation, do not trigger second inhibitor

In the past, both of the inhibitors were triggered when the
configuration file did not contain any PermitRootLogin configuration
option. But this really does not make any sense to report the second
inhibitor if the first one is already raised.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 .../actors/opensshpermitrootlogincheck/actor.py       | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
index ae3b4586..4cc4cbc2 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
@@ -74,13 +74,16 @@ class OpenSshPermitRootLoginCheck(Actor):
                 reporting.Severity(reporting.Severity.HIGH),
                 reporting.Tags(COMMON_REPORT_TAGS),
                 reporting.Remediation(
-                    hint='If you depend on remote root logins using '
-                         'passwords, consider setting up a different '
-                         'user for remote administration or adding '
-                         '"PermitRootLogin yes" to sshd_config.'
+                    hint='If you depend on remote root logins using passwords, consider '
+                         'setting up a different user for remote administration or adding '
+                         '"PermitRootLogin yes" to sshd_config. '
+                         'If this change is ok for you, add explicit '
+                         '"PermitRootLogin prohibit-password" to your sshd_config '
+                         'to ignore this inhibitor'
                 ),
                 reporting.Flags([reporting.Flags.INHIBITOR])
             ] + COMMON_RESOURCES)
+            return
 
         # Check if there is at least one PermitRootLogin other than "no"
         # in match blocks (other than Match All).
-- 
2.35.3