nuageinit: complete SSH support with ssh_deletekeys and disable_root

Add missing SSH cloud-config options from cloud-init spec:

- ssh_deletekeys: remove existing SSH host keys on first boot so
  new ones are generated automatically by sshd(8).
  Implemented as delete_ssh_host_keys() in nuage.lua using lfs.dir()
  with a directory existence guard via lfs.attributes().

- disable_root: set PermitRootLogin to 'no' (or a custom value via
  disable_root_opts) in /etc/ssh/sshd_config.

- disable_root_opts: optional string or array to override the
  PermitRootLogin value used when disable_root is true. Only the
  first array element is used.
This commit is contained in:
Baptiste Daroussin
2026-06-04 22:17:03 +02:00
parent ea0932d71a
commit 22c1f5d0ec
3 changed files with 70 additions and 0 deletions
+14
View File
@@ -539,6 +539,19 @@ local function update_sshd_config(key, value)
os.rename(sshd_config .. ".nuageinit", sshd_config)
end
local function delete_ssh_host_keys(root)
local ssh_dir = root .. "/etc/ssh"
local attrs = lfs.attributes(ssh_dir)
if not attrs or attrs.mode ~= "directory" then
return
end
for entry in lfs.dir(ssh_dir) do
if entry:match("^ssh_host_.*key") or entry:match("^ssh_host_.*key%.pub") then
os.remove(ssh_dir .. "/" .. entry)
end
end
end
local function exec_change_password(user, password, type, expire)
local root = os.getenv("NUAGE_FAKE_ROOTDIR")
local cmd = "pw "
@@ -761,6 +774,7 @@ local n = {
addgroup = addgroup,
addsshkey = addsshkey,
update_sshd_config = update_sshd_config,
delete_ssh_host_keys = delete_ssh_host_keys,
chpasswd = chpasswd,
pkg_bootstrap = pkg_bootstrap,
install_package = install_package,
+24
View File
@@ -502,6 +502,28 @@ local function ssh_pwauth(obj)
nuage.update_sshd_config("PasswordAuthentication", value)
end
local function ssh_deletekeys(obj)
if obj.ssh_deletekeys == nil then return end
if obj.ssh_deletekeys then
nuage.delete_ssh_host_keys(root)
end
end
local function disable_root(obj)
if obj.disable_root == nil then return end
if obj.disable_root then
local value = "no"
if obj.disable_root_opts then
if type(obj.disable_root_opts) == "string" then
value = obj.disable_root_opts
elseif type(obj.disable_root_opts) == "table" then
value = obj.disable_root_opts[1]
end
end
nuage.update_sshd_config("PermitRootLogin", value)
end
end
local function runcmd(obj)
if obj.runcmd == nil then return end
local f = nil
@@ -776,8 +798,10 @@ elseif line == "#cloud-config" then
settimezone,
groups,
create_default_user,
ssh_deletekeys,
ssh_keys,
network_config,
disable_root,
ssh_pwauth,
runcmd,
write_files_not_deferred,
+32
View File
@@ -164,6 +164,12 @@ will be used as the name of the group, the
.Qq Ar value
is expected to be a list of members (array), specified by name.
.El
.It Ic ssh_deletekeys
Boolean which determines if the existing SSH host keys in
.Pa /etc/ssh
should be removed on first boot.
New host keys will be generated automatically by
.Xr sshd 8 .
.It Ic ssh_keys
An object of multiple key/values,
.Qq Cm keys
@@ -183,6 +189,30 @@ boolean which determines the value of the
.Qq Ic PasswordAuthentication
configuration in
.Pa /etc/ssh/sshd_config
.It Ic disable_root
Boolean which determines if root login via SSH should be disabled.
If set to
.Ar true ,
sets
.Qq Ic PermitRootLogin
to
.Ar no
.Pq or the value specified in Ic disable_root_opts
in
.Pa /etc/ssh/sshd_config .
.It Ic disable_root_opts
String or array of options used to set the value of
.Qq Ic PermitRootLogin
in
.Pa /etc/ssh/sshd_config ,
when
.Ic disable_root
is set to
.Ar true .
If not specified, defaults to
.Ar no .
.Pp
Only the first value is used when an array is provided.
.It Ic network
Network configuration parameters.
.Pp
@@ -410,6 +440,8 @@ package_update: true
package_upgrade: true
runcmd:
- logger -t nuageinit "boot finished"
ssh_deletekeys: true
disable_root: true
ssh_keys:
ed25519_private: |
-----BEGIN OPENSSH PRIVATE KEY-----