From c3e2e9c52b30c5702d95a20b68aa00493d1ec024 Mon Sep 17 00:00:00 2001 From: William Gill Date: Sun, 14 Jun 2026 16:59:39 -0500 Subject: [PATCH] fix(oslib): install_openssh must not report failure on non-Alpine install_openssh ended with '[[ "$OS_FAMILY" == alpine ]] && pkg_install ...'. As the function's LAST statement, that trailing test returns 1 on every non-Alpine OS (a false '[[ ]]' exits 1), so the function reported failure even when the packages installed fine. Harmless while the call was bare under set -e (a short-circuited && is exempt), but the new 'install_openssh || die' guard read it as a real failure and aborted harden-ssh on Alma right after 'Installing OpenSSH server...'. Fix: convert the Alpine-only linux-pam step to an if-block, and add '|| return 1' to the main install so a genuine package failure still propagates honestly. Co-Authored-By: Claude Opus 4.8 (1M context) --- scripts/oslib.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/oslib.sh b/scripts/oslib.sh index ac1ec19..4ddb3e8 100644 --- a/scripts/oslib.sh +++ b/scripts/oslib.sh @@ -397,9 +397,16 @@ install_openssh() { fi local sftp_pkg; sftp_pkg="$(pkg_name sftp-server)" # shellcheck disable=SC2046 - pkg_install $(pkg_name openssh-server) $(pkg_name openssh-client) ${sftp_pkg:+$sftp_pkg} - # Alpine needs linux-pam present for the PAM server build. - [[ "$OS_FAMILY" == alpine ]] && pkg_install linux-pam openrc + pkg_install $(pkg_name openssh-server) $(pkg_name openssh-client) ${sftp_pkg:+$sftp_pkg} || return 1 + # Alpine needs linux-pam present for the PAM server build. Use an if-block, + # NOT `[[ ... ]] && ...`: as the LAST statement, that trailing test makes the + # whole function exit 1 on every non-Alpine OS (a false `[[ ]]` returns 1) -- + # harmless to a bare call under `set -e`, but a caller guarding with `|| die` + # reads it as an OpenSSH install failure. The `|| return 1` above still + # surfaces a real package failure. + if [[ "$OS_FAMILY" == alpine ]]; then + pkg_install linux-pam openrc + fi } # Install sshguard + an iptables firewall backend. On RHEL/Alma sshguard lives