#!/bin/sh
#
# rescue-remote	Prepare for remote access via SSH
#
# chkconfig: 345 99 01
# description: This service arranges for reasonably safe remote access.

WITHOUT_RC_COMPAT=1

# Source function library.
. /etc/init.d/functions

LOCKFILE=/var/lock/subsys/rescue_remote

SSHD_CONFIG=/etc/openssh/sshd_config
[ -s "$SSHD_CONFIG" ] && grep -qs '\<rootpw=' /proc/cmdline || exit 0

gen_rootpw() {
	{ apg -n1 || pwgen -1; } 2>/dev/null
}

# don't allow the empty one: both default and useless
rootpw=
set_rootpw() {
	rootpw="$(sed -rn 's/^.*\<rootpw=([^ ]+)\>.*$/\1/p' /proc/cmdline)"
	if [ "$rootpw" = AUTO ]; then rootpw="$(gen_rootpw)"; fi
	[ -n "$rootpw" ] || exit 0
	echo "$rootpw" | passwd --stdin root
}

# ip=dhcp => mocked CONFIG_IP_PNP (no ethernet drivers compiled into kernel)
# automatic=method:*,network:* => propagator
# uird.* => magos
setup_networking() {
	grep -qE '\<(network:|uird\.)' /proc/cmdline && return

	service livecd-net-eth start 2>/dev/null
	{
		# 35 is 30 for STP plus 5 for the actual DHCP query/reply
		sed -r -i 's,^DHCP_TIMEOUT=.*,DHCP_TIMEOUT=35,' /etc/net/ifaces/*/options
		service network condstop
		service network start
	} >&/dev/null
}

setup_sshd() {
	port="$(sed -rn 's/^.*\<port=([0-9]+)\>.*$/\1/p' /proc/cmdline)"
	if [ -n "$port" ]; then
		sed -i "s,^Port .*$,#&," "$SSHD_CONFIG"
		echo "Port $port" >> "$SSHD_CONFIG"
	fi

	{ echo UseDNS=yes; echo PermitRootLogin=yes; } >> "$SSHD_CONFIG"

	service sshd condstop
	service sshd start
}

w="$(echo -ne "\\033[1;37m")"
g="$(echo -ne "\\033[0;37m")"
r="$(echo -ne "\\033[1;31m")"

get_addr() {
	ip -o ad \
	| sed -rn "s|^.* inet ([0-9.]+).* scope global .*$|$w\1$g, |p" \
	| tr -d '\n' \
	| sed 's|, $||'
}

show_hint() {
	local p="$w" warn=
	if [ "${#rootpw}" -lt 8 ]; then
		p="$r"
		warn=" (WARNING: too short!)"
	fi

	echo
	echo "** WARNING: remote root access is now enabled"
	echo "** IP(s): $(get_addr)"
	echo "** sshd port: $w$port$g"
	echo "** root password: $p$rootpw$g$warn"
}

case "$1" in
	start|restart|reload)
		# This action line is required to fool rc script.
		set_rootpw
		setup_networking
		setup_sshd
		show_hint
		touch "$LOCKFILE"
		;;
	stop|condstop)
		rm -f "$LOCKFILE"
		;;
	*)
		;;
esac

exit 0
