git: 22c1f5d0ec21 - main - nuageinit: complete SSH support with ssh_deletekeys and disable_root

Thu, 04 Jun 2026 14:17:55 -0700 

The branch main has been updated by bapt:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=22c1f5d0ec215e36dd4448b9128b856b5441d21c

commit 22c1f5d0ec215e36dd4448b9128b856b5441d21c
Author:     Baptiste Daroussin <[email protected]>
AuthorDate: 2026-06-04 20:17:03 +0000
Commit:     Baptiste Daroussin <[email protected]>
CommitDate: 2026-06-04 20:17:03 +0000

    nuageinit: complete SSH support with ssh_deletekeys and disable_root
    
    Add missing SSH cloud-config options from cloud-init spec:
    
    - ssh_deletekeys: remove existing SSH host keys on first boot so
      new ones are generated automatically by sshd(8).
      Implemented as delete_ssh_host_keys() in nuage.lua using lfs.dir()
      with a directory existence guard via lfs.attributes().
    
    - disable_root: set PermitRootLogin to 'no' (or a custom value via
      disable_root_opts) in /etc/ssh/sshd_config.
    
    - disable_root_opts: optional string or array to override the
      PermitRootLogin value used when disable_root is true. Only the
      first array element is used.
---
 libexec/nuageinit/nuage.lua   | 14 ++++++++++++++
 libexec/nuageinit/nuageinit   | 24 ++++++++++++++++++++++++
 libexec/nuageinit/nuageinit.7 | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)

diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
index e2db27bc7e85..7cce4c9bece1 100644
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -539,6 +539,19 @@ local function update_sshd_config(key, value)
        os.rename(sshd_config .. ".nuageinit", sshd_config)
 end
 
+local function delete_ssh_host_keys(root)
+       local ssh_dir = root .. "/etc/ssh"
+       local attrs = lfs.attributes(ssh_dir)
+       if not attrs or attrs.mode ~= "directory" then
+               return
+       end
+       for entry in lfs.dir(ssh_dir) do
+               if entry:match("^ssh_host_.*key") or 
entry:match("^ssh_host_.*key%.pub") then
+                       os.remove(ssh_dir .. "/" .. entry)
+               end
+       end
+end
+
 local function exec_change_password(user, password, type, expire)
        local root = os.getenv("NUAGE_FAKE_ROOTDIR")
        local cmd = "pw "
@@ -761,6 +774,7 @@ local n = {
        addgroup = addgroup,
        addsshkey = addsshkey,
        update_sshd_config = update_sshd_config,
+       delete_ssh_host_keys = delete_ssh_host_keys,
        chpasswd = chpasswd,
        pkg_bootstrap = pkg_bootstrap,
        install_package = install_package,
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
index fc8d9582b9c6..166c3503735a 100755
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -502,6 +502,28 @@ local function ssh_pwauth(obj)
        nuage.update_sshd_config("PasswordAuthentication", value)
 end
 
+local function ssh_deletekeys(obj)
+       if obj.ssh_deletekeys == nil then return end
+       if obj.ssh_deletekeys then
+               nuage.delete_ssh_host_keys(root)
+       end
+end
+
+local function disable_root(obj)
+       if obj.disable_root == nil then return end
+       if obj.disable_root then
+               local value = "no"
+               if obj.disable_root_opts then
+                       if type(obj.disable_root_opts) == "string" then
+                               value = obj.disable_root_opts
+                       elseif type(obj.disable_root_opts) == "table" then
+                               value = obj.disable_root_opts[1]
+                       end
+               end
+               nuage.update_sshd_config("PermitRootLogin", value)
+       end
+end
+
 local function runcmd(obj)
        if obj.runcmd == nil then return end
        local f = nil
@@ -776,8 +798,10 @@ elseif line == "#cloud-config" then
                settimezone,
                groups,
                create_default_user,
+               ssh_deletekeys,
                ssh_keys,
                network_config,
+               disable_root,
                ssh_pwauth,
                runcmd,
                write_files_not_deferred,
diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7
index 9651abba868f..08a64b11ff58 100644
--- a/libexec/nuageinit/nuageinit.7
+++ b/libexec/nuageinit/nuageinit.7
@@ -164,6 +164,12 @@ will be used as the name of the group, the
 .Qq Ar value
 is expected to be a list of members (array), specified by name.
 .El
+.It Ic ssh_deletekeys
+Boolean which determines if the existing SSH host keys in
+.Pa /etc/ssh
+should be removed on first boot.
+New host keys will be generated automatically by
+.Xr sshd 8 .
 .It Ic ssh_keys
 An object of multiple key/values,
 .Qq Cm keys
@@ -183,6 +189,30 @@ boolean which determines the value of the
 .Qq Ic PasswordAuthentication
 configuration in
 .Pa /etc/ssh/sshd_config
+.It Ic disable_root
+Boolean which determines if root login via SSH should be disabled.
+If set to
+.Ar true ,
+sets
+.Qq Ic PermitRootLogin
+to
+.Ar no
+.Pq or the value specified in Ic disable_root_opts
+in
+.Pa /etc/ssh/sshd_config .
+.It Ic disable_root_opts
+String or array of options used to set the value of
+.Qq Ic PermitRootLogin
+in
+.Pa /etc/ssh/sshd_config ,
+when
+.Ic disable_root
+is set to
+.Ar true .
+If not specified, defaults to
+.Ar no .
+.Pp
+Only the first value is used when an array is provided.
 .It Ic network
 Network configuration parameters.
 .Pp
@@ -410,6 +440,8 @@ package_update: true
 package_upgrade: true
 runcmd:
   - logger -t nuageinit "boot finished"
+ssh_deletekeys: true
+disable_root: true
 ssh_keys:
   ed25519_private: |
     -----BEGIN OPENSSH PRIVATE KEY-----

Reply via email to