#!/bin/sh
# stdin: default config
# stdout: modified config
set -e

# save stdin (content of /etc/ssh/sshd_config) in variable
stdin="$(cat)"

# assertions
echo "=== assert UsePAM ===" 1>&2
echo "$stdin" | grep --quiet '^UsePAM yes$'
#
echo "=== assert PermitRootLogin ===" 1>&2
echo "$stdin" | grep --quiet  '^#PermitRootLogin\s.*$'
! echo "$stdin" | grep --quiet '^PermitRootLogin\s.*$'
echo "=== assert PubkeyAuthentication ===" 1>&2
echo "$stdin" | grep --quiet  '^#PubkeyAuthentication\s.*$'
! echo "$stdin" | grep --quiet '^PubkeyAuthentication\s.*$'
echo "=== assert PasswordAuthentication ===" 1>&2
echo "$stdin" | grep --quiet  '^#PasswordAuthentication\s.*$'
! echo "$stdin" | grep --quiet '^PasswordAuthentication\s.*$'
echo "=== assert PermitEmptyPasswords ===" 1>&2
echo "$stdin" | grep --quiet  '^#PermitEmptyPasswords\s.*$'
! echo "$stdin" | grep --quiet '^PermitEmptyPasswords\s.*$'
echo "=== assert X11Forwarding ===" 1>&2
echo "$stdin" | grep --quiet  '^#X11Forwarding\s.*$'
! echo "$stdin" | grep --quiet '^X11Forwarding\s.*$'

echo "=== sed ===" 1>&2
echo "$stdin" | sed '
  s|^#PermitRootLogin\s.*$|PermitRootLogin yes|;
  s|^#PubkeyAuthentication\s.*$|PubkeyAuthentication yes|;
  s|^#PasswordAuthentication\s.*$|PasswordAuthentication no|;
  s|^#PermitEmptyPasswords\s.*$|PermitEmptyPasswords no|;
  s|^#X11Forwarding\s.*$|X11Forwarding no|
  '