refactor: collapse sshd_config seds into enable_sshd_root_login

The two sed -i invocations in configure_ssh worked on stock Arch sshd_config but had a real silent-failure mode. If neither the commented (#PermitRootLogin) nor the uncommented form was present, both seds did nothing and the install shipped without root SSH. The user discovered it at first ssh attempt, not at install time. The second sed was also redundant. By the time it ran, the first sed had produced a line matching the second sed's pattern.

The new enable_sshd_root_login helper in lib/common.sh combines both substitutions into one sed -i -e ..., then verifies PermitRootLogin yes is present in the file. If the verification fails, it calls error rather than silently appending. Silent appending would mask a corrupted starting file, which is exactly the failure mode worth flagging loudly.

The helper takes the config path as an argument so the bats tests in commit 7486abb can run unprivileged against tempfiles. configure_ssh passes /mnt/etc/ssh/sshd_config and is now a single call instead of two seds.

Verified: bats 135 → 140 (+5 covering normal/boundary/error). Lint clean. Helper smoke-tested against current Arch sshd_config. The loud-error path can't be exercised against the live default but is covered by the bats error case.

Filed as a follow-up :techdebt: item: ~10 other sed -i sites in installer/archangel and lib/btrfs.sh follow the same silent-replace pattern. The FILES= site for LUKS is the worst (silent failure means LUKS prompts on every boot). Triage each per this same recipe in a future session.

1 files changed, 73 insertions, 0 deletions

diff --git a/tests/unit/test_common.bats b/tests/unit/test_common.bats
index 4d58bd9..9d267ab 100644
--- a/tests/unit/test_common.bats
+++ b/tests/unit/test_common.bats
@@ -332,3 +332,76 @@ Boot0001* ZFSBootMenu"
 @test "EFI_DIR is defined and equals /mnt/efi" {
     [ "$EFI_DIR" = "/mnt/efi" ]
 }
+
+#############################
+# enable_sshd_root_login
+#############################
+# enable_sshd_root_login takes an sshd_config path and ensures the
+# file ends up with `PermitRootLogin yes`. It must error loudly if
+# neither the commented (#PermitRootLogin) nor uncommented
+# (PermitRootLogin) form is present, since silently appending would
+# mask a corrupted starting file.
+
+@test "enable_sshd_root_login uncomments stock Arch sshd_config line" {
+    local f
+    f=$(mktemp)
+    printf '%s\n' '#PermitRootLogin prohibit-password' > "$f"
+
+    enable_sshd_root_login "$f"
+
+    grep -q '^PermitRootLogin yes$' "$f"
+    rm -f "$f"
+}
+
+@test "enable_sshd_root_login flips PermitRootLogin no to yes" {
+    local f
+    f=$(mktemp)
+    printf '%s\n' 'PermitRootLogin no' > "$f"
+
+    enable_sshd_root_login "$f"
+
+    grep -q '^PermitRootLogin yes$' "$f"
+    ! grep -q '^PermitRootLogin no$' "$f"
+    rm -f "$f"
+}
+
+@test "enable_sshd_root_login is idempotent on PermitRootLogin yes" {
+    local f
+    f=$(mktemp)
+    printf '%s\n' 'PermitRootLogin yes' > "$f"
+
+    enable_sshd_root_login "$f"
+
+    [ "$(grep -c '^PermitRootLogin yes$' "$f")" -eq 1 ]
+    rm -f "$f"
+}
+
+@test "enable_sshd_root_login replaces all matching lines (mixed commented + uncommented)" {
+    local f
+    f=$(mktemp)
+    printf '%s\n' \
+        '#PermitRootLogin prohibit-password' \
+        'PermitRootLogin no' \
+        'OtherOption value' \
+        '#PermitRootLogin without-password' > "$f"
+
+    enable_sshd_root_login "$f"
+
+    [ "$(grep -c '^PermitRootLogin yes$' "$f")" -eq 3 ]
+    ! grep -q '^PermitRootLogin no$' "$f"
+    grep -q '^OtherOption value$' "$f"
+    rm -f "$f"
+}
+
+@test "enable_sshd_root_login errors when no PermitRootLogin line is present" {
+    local f
+    f=$(mktemp)
+    printf '%s\n' 'OnlyOtherOptions yes' > "$f"
+
+    error() { echo "ERROR: $*" >&2; return 1; }
+    run enable_sshd_root_login "$f"
+    [ "$status" -ne 0 ]
+    [[ "$output" == *"PermitRootLogin"* ]]
+    ! grep -q 'PermitRootLogin' "$f"
+    rm -f "$f"
+}