git: 22c1f5d0ec21 - main - nuageinit: complete SSH support with ssh_deletekeys and disable_root

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Baptiste Daroussin <bapt_at_FreeBSD.org>
Date: Thu, 04 Jun 2026 21:15:49 UTC
The branch main has been updated by bapt:

URL: https://cgit.FreeBSD.org/src/commit/?id=22c1f5d0ec215e36dd4448b9128b856b5441d21c

commit 22c1f5d0ec215e36dd4448b9128b856b5441d21c
Author:     Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2026-06-04 20:17:03 +0000
Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2026-06-04 20:17:03 +0000

    nuageinit: complete SSH support with ssh_deletekeys and disable_root
    
    Add missing SSH cloud-config options from cloud-init spec:
    
    - ssh_deletekeys: remove existing SSH host keys on first boot so
      new ones are generated automatically by sshd(8).
      Implemented as delete_ssh_host_keys() in nuage.lua using lfs.dir()
      with a directory existence guard via lfs.attributes().
    
    - disable_root: set PermitRootLogin to 'no' (or a custom value via
      disable_root_opts) in /etc/ssh/sshd_config.
    
    - disable_root_opts: optional string or array to override the
      PermitRootLogin value used when disable_root is true. Only the
      first array element is used.
---
 libexec/nuageinit/nuage.lua   | 14 ++++++++++++++
 libexec/nuageinit/nuageinit   | 24 ++++++++++++++++++++++++
 libexec/nuageinit/nuageinit.7 | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)

diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
index e2db27bc7e85..7cce4c9bece1 100644
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -539,6 +539,19 @@ local function update_sshd_config(key, value)
 	os.rename(sshd_config .. ".nuageinit", sshd_config)
 end
 
+local function delete_ssh_host_keys(root)
+	local ssh_dir = root .. "/etc/ssh"
+	local attrs = lfs.attributes(ssh_dir)
+	if not attrs or attrs.mode ~= "directory" then
+		return
+	end
+	for entry in lfs.dir(ssh_dir) do
+		if entry:match("^ssh_host_.*key") or entry:match("^ssh_host_.*key%.pub") then
+			os.remove(ssh_dir .. "/" .. entry)
+		end
+	end
+end
+
 local function exec_change_password(user, password, type, expire)
 	local root = os.getenv("NUAGE_FAKE_ROOTDIR")
 	local cmd = "pw "
@@ -761,6 +774,7 @@ local n = {
 	addgroup = addgroup,
 	addsshkey = addsshkey,
 	update_sshd_config = update_sshd_config,
+	delete_ssh_host_keys = delete_ssh_host_keys,
 	chpasswd = chpasswd,
 	pkg_bootstrap = pkg_bootstrap,
 	install_package = install_package,
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
index fc8d9582b9c6..166c3503735a 100755
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -502,6 +502,28 @@ local function ssh_pwauth(obj)
 	nuage.update_sshd_config("PasswordAuthentication", value)
 end
 
+local function ssh_deletekeys(obj)
+	if obj.ssh_deletekeys == nil then return end
+	if obj.ssh_deletekeys then
+		nuage.delete_ssh_host_keys(root)
+	end
+end
+
+local function disable_root(obj)
+	if obj.disable_root == nil then return end
+	if obj.disable_root then
+		local value = "no"
+		if obj.disable_root_opts then
+			if type(obj.disable_root_opts) == "string" then
+				value = obj.disable_root_opts
+			elseif type(obj.disable_root_opts) == "table" then
+				value = obj.disable_root_opts[1]
+			end
+		end
+		nuage.update_sshd_config("PermitRootLogin", value)
+	end
+end
+
 local function runcmd(obj)
 	if obj.runcmd == nil then return end
 	local f = nil
@@ -776,8 +798,10 @@ elseif line == "#cloud-config" then
 		settimezone,
 		groups,
 		create_default_user,
+		ssh_deletekeys,
 		ssh_keys,
 		network_config,
+		disable_root,
 		ssh_pwauth,
 		runcmd,
 		write_files_not_deferred,
diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7
index 9651abba868f..08a64b11ff58 100644
--- a/libexec/nuageinit/nuageinit.7
+++ b/libexec/nuageinit/nuageinit.7
@@ -164,6 +164,12 @@ will be used as the name of the group, the
 .Qq Ar value
 is expected to be a list of members (array), specified by name.
 .El
+.It Ic ssh_deletekeys
+Boolean which determines if the existing SSH host keys in
+.Pa /etc/ssh
+should be removed on first boot.
+New host keys will be generated automatically by
+.Xr sshd 8 .
 .It Ic ssh_keys
 An object of multiple key/values,
 .Qq Cm keys
@@ -183,6 +189,30 @@ boolean which determines the value of the
 .Qq Ic PasswordAuthentication
 configuration in
 .Pa /etc/ssh/sshd_config
+.It Ic disable_root
+Boolean which determines if root login via SSH should be disabled.
+If set to
+.Ar true ,
+sets
+.Qq Ic PermitRootLogin
+to
+.Ar no
+.Pq or the value specified in Ic disable_root_opts
+in
+.Pa /etc/ssh/sshd_config .
+.It Ic disable_root_opts
+String or array of options used to set the value of
+.Qq Ic PermitRootLogin
+in
+.Pa /etc/ssh/sshd_config ,
+when
+.Ic disable_root
+is set to
+.Ar true .
+If not specified, defaults to
+.Ar no .
+.Pp
+Only the first value is used when an array is provided.
 .It Ic network
 Network configuration parameters.
 .Pp
@@ -410,6 +440,8 @@ package_update: true
 package_upgrade: true
 runcmd:
   - logger -t nuageinit "boot finished"
+ssh_deletekeys: true
+disable_root: true
 ssh_keys:
   ed25519_private: |
     -----BEGIN OPENSSH PRIVATE KEY-----