nuageinit: complete SSH support with ssh_deletekeys and disable_root
Add missing SSH cloud-config options from cloud-init spec: - ssh_deletekeys: remove existing SSH host keys on first boot so new ones are generated automatically by sshd(8). Implemented as delete_ssh_host_keys() in nuage.lua using lfs.dir() with a directory existence guard via lfs.attributes(). - disable_root: set PermitRootLogin to 'no' (or a custom value via disable_root_opts) in /etc/ssh/sshd_config. - disable_root_opts: optional string or array to override the PermitRootLogin value used when disable_root is true. Only the first array element is used.
This commit is contained in:
@@ -539,6 +539,19 @@ local function update_sshd_config(key, value)
|
||||
os.rename(sshd_config .. ".nuageinit", sshd_config)
|
||||
end
|
||||
|
||||
local function delete_ssh_host_keys(root)
|
||||
local ssh_dir = root .. "/etc/ssh"
|
||||
local attrs = lfs.attributes(ssh_dir)
|
||||
if not attrs or attrs.mode ~= "directory" then
|
||||
return
|
||||
end
|
||||
for entry in lfs.dir(ssh_dir) do
|
||||
if entry:match("^ssh_host_.*key") or entry:match("^ssh_host_.*key%.pub") then
|
||||
os.remove(ssh_dir .. "/" .. entry)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
local function exec_change_password(user, password, type, expire)
|
||||
local root = os.getenv("NUAGE_FAKE_ROOTDIR")
|
||||
local cmd = "pw "
|
||||
@@ -761,6 +774,7 @@ local n = {
|
||||
addgroup = addgroup,
|
||||
addsshkey = addsshkey,
|
||||
update_sshd_config = update_sshd_config,
|
||||
delete_ssh_host_keys = delete_ssh_host_keys,
|
||||
chpasswd = chpasswd,
|
||||
pkg_bootstrap = pkg_bootstrap,
|
||||
install_package = install_package,
|
||||
|
||||
@@ -502,6 +502,28 @@ local function ssh_pwauth(obj)
|
||||
nuage.update_sshd_config("PasswordAuthentication", value)
|
||||
end
|
||||
|
||||
local function ssh_deletekeys(obj)
|
||||
if obj.ssh_deletekeys == nil then return end
|
||||
if obj.ssh_deletekeys then
|
||||
nuage.delete_ssh_host_keys(root)
|
||||
end
|
||||
end
|
||||
|
||||
local function disable_root(obj)
|
||||
if obj.disable_root == nil then return end
|
||||
if obj.disable_root then
|
||||
local value = "no"
|
||||
if obj.disable_root_opts then
|
||||
if type(obj.disable_root_opts) == "string" then
|
||||
value = obj.disable_root_opts
|
||||
elseif type(obj.disable_root_opts) == "table" then
|
||||
value = obj.disable_root_opts[1]
|
||||
end
|
||||
end
|
||||
nuage.update_sshd_config("PermitRootLogin", value)
|
||||
end
|
||||
end
|
||||
|
||||
local function runcmd(obj)
|
||||
if obj.runcmd == nil then return end
|
||||
local f = nil
|
||||
@@ -776,8 +798,10 @@ elseif line == "#cloud-config" then
|
||||
settimezone,
|
||||
groups,
|
||||
create_default_user,
|
||||
ssh_deletekeys,
|
||||
ssh_keys,
|
||||
network_config,
|
||||
disable_root,
|
||||
ssh_pwauth,
|
||||
runcmd,
|
||||
write_files_not_deferred,
|
||||
|
||||
@@ -164,6 +164,12 @@ will be used as the name of the group, the
|
||||
.Qq Ar value
|
||||
is expected to be a list of members (array), specified by name.
|
||||
.El
|
||||
.It Ic ssh_deletekeys
|
||||
Boolean which determines if the existing SSH host keys in
|
||||
.Pa /etc/ssh
|
||||
should be removed on first boot.
|
||||
New host keys will be generated automatically by
|
||||
.Xr sshd 8 .
|
||||
.It Ic ssh_keys
|
||||
An object of multiple key/values,
|
||||
.Qq Cm keys
|
||||
@@ -183,6 +189,30 @@ boolean which determines the value of the
|
||||
.Qq Ic PasswordAuthentication
|
||||
configuration in
|
||||
.Pa /etc/ssh/sshd_config
|
||||
.It Ic disable_root
|
||||
Boolean which determines if root login via SSH should be disabled.
|
||||
If set to
|
||||
.Ar true ,
|
||||
sets
|
||||
.Qq Ic PermitRootLogin
|
||||
to
|
||||
.Ar no
|
||||
.Pq or the value specified in Ic disable_root_opts
|
||||
in
|
||||
.Pa /etc/ssh/sshd_config .
|
||||
.It Ic disable_root_opts
|
||||
String or array of options used to set the value of
|
||||
.Qq Ic PermitRootLogin
|
||||
in
|
||||
.Pa /etc/ssh/sshd_config ,
|
||||
when
|
||||
.Ic disable_root
|
||||
is set to
|
||||
.Ar true .
|
||||
If not specified, defaults to
|
||||
.Ar no .
|
||||
.Pp
|
||||
Only the first value is used when an array is provided.
|
||||
.It Ic network
|
||||
Network configuration parameters.
|
||||
.Pp
|
||||
@@ -410,6 +440,8 @@ package_update: true
|
||||
package_upgrade: true
|
||||
runcmd:
|
||||
- logger -t nuageinit "boot finished"
|
||||
ssh_deletekeys: true
|
||||
disable_root: true
|
||||
ssh_keys:
|
||||
ed25519_private: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
|
||||
Reference in New Issue
Block a user