From nobody Thu Jun  4 21:15:49 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gWcmk1ShWz6gxby
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Thu, 04 Jun 2026 21:15:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gWcmj6FK6z3LpH
	for <dev-commits-src-all@FreeBSD.org>; Thu, 04 Jun 2026 21:15:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1780607749;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=p9/eMnTXvWjo+UZgyBKXbZKIi7QfwGOqjFWGUXvkS5E=;
	b=ylXrQvUZbMJlXWZaNSmSL8+QQhfAKvYTOd59BSHzcxYyFhqxkZTeREbuIB4770Pfl8llF1
	Z7Y1zf+u9gAvARm280fTDvB8sPTOHh/I+lr8iAdu8LxRlj99/oepWXS9r8mt2/xE5NYSBT
	EVuEnSlT/d7cOuZCdJLPcaU9gHK2c1e8J2e+9ZWsuJrZjkjM8j3qmt/U75M4NrD4IalFoj
	AKKpgNGthJTK4QyOzcsCQK6pgaMhitcDCZYub+HsHl9O5skRQBkJdkPm3dmN62jeAvYKg+
	6fhW/Bh8GlanANLJM1SReUyfAJqRaNrnWf/Gns4rOeh7WBRp67bVA22DyGZskw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780607749; a=rsa-sha256; cv=none;
	b=bpotG/Pxlq4x2IeOniJfqqP/g07NXGgQDufwO+xUvr/NPlp7eF1D2l3NznFM9PHf62M4No
	ZZ9ifIs85vEjtl8umPsAMZFCaXywh7X4IANGGSgECwX9o7xVKgNbeq7LgIQvUYQTQhScS7
	5N9e2OADzgT5HPYmFsTUib/A5y6SwPbSbIkGRGnslqeS9kQ52drqNIXMabkJbE/mL/uf5q
	G4xKPJSrk8kPrdaRmsRQSV0m8SWFm2F65CFWdRTxoGT/EO90NTt8fm5bRZZ8xaz+ixWwfL
	SFkebWESiYbbCEsoG77UJFHK+gm4QsDPDo6KZ0Sldd6deEUPzRK+3iC1h0zVDQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1780607749;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=p9/eMnTXvWjo+UZgyBKXbZKIi7QfwGOqjFWGUXvkS5E=;
	b=TapGnKvgX1R4mAnAFsPlJSePKUR/gC/iVLdT8fkUh61Zz20qBUKbxiaMH4kn/yh4O2Klhm
	/4aqQd61nn4WBuzCcqI8aoOxtM2dzrUKapR0l75+44mSj4X/jIAABB1jkGmy3tL4PtkdnH
	jkXeCCARPe0IJX6zWuF+DEZY0C07oaev7FAoiqu/TxG2p94IkSNRC+mfECciS5++NYpFyD
	uMklILtqyPZ/JHoeTWkQPHoPCIJ975y4LE9Lid2Dxa6+1mgsbNWHp2VvNU/bkUmkMyAqEc
	5v+PrSyXx7TL85q/oHU0nvTSbLqmdy36dkKwsxNO6dtPYj493ZLiqgr5I8otsQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gWcmj5j9fz1Dmf
	for <dev-commits-src-all@FreeBSD.org>; Thu, 04 Jun 2026 21:15:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3c4de
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 04 Jun 2026 21:15:49 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Baptiste Daroussin <bapt@FreeBSD.org>
Subject: git: 22c1f5d0ec21 - main - nuageinit: complete SSH support with ssh_deletekeys and disable_root
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bapt
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 22c1f5d0ec215e36dd4448b9128b856b5441d21c
Auto-Submitted: auto-generated
Date: Thu, 04 Jun 2026 21:15:49 +0000
Message-Id: <6a21eb05.3c4de.659a3fd4@gitrepo.freebsd.org>

The branch main has been updated by bapt:

URL: https://cgit.FreeBSD.org/src/commit/?id=22c1f5d0ec215e36dd4448b9128b856b5441d21c

commit 22c1f5d0ec215e36dd4448b9128b856b5441d21c
Author:     Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2026-06-04 20:17:03 +0000
Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2026-06-04 20:17:03 +0000

    nuageinit: complete SSH support with ssh_deletekeys and disable_root
    
    Add missing SSH cloud-config options from cloud-init spec:
    
    - ssh_deletekeys: remove existing SSH host keys on first boot so
      new ones are generated automatically by sshd(8).
      Implemented as delete_ssh_host_keys() in nuage.lua using lfs.dir()
      with a directory existence guard via lfs.attributes().
    
    - disable_root: set PermitRootLogin to 'no' (or a custom value via
      disable_root_opts) in /etc/ssh/sshd_config.
    
    - disable_root_opts: optional string or array to override the
      PermitRootLogin value used when disable_root is true. Only the
      first array element is used.
---
 libexec/nuageinit/nuage.lua   | 14 ++++++++++++++
 libexec/nuageinit/nuageinit   | 24 ++++++++++++++++++++++++
 libexec/nuageinit/nuageinit.7 | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)

diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
index e2db27bc7e85..7cce4c9bece1 100644
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -539,6 +539,19 @@ local function update_sshd_config(key, value)
 	os.rename(sshd_config .. ".nuageinit", sshd_config)
 end
 
+local function delete_ssh_host_keys(root)
+	local ssh_dir = root .. "/etc/ssh"
+	local attrs = lfs.attributes(ssh_dir)
+	if not attrs or attrs.mode ~= "directory" then
+		return
+	end
+	for entry in lfs.dir(ssh_dir) do
+		if entry:match("^ssh_host_.*key") or entry:match("^ssh_host_.*key%.pub") then
+			os.remove(ssh_dir .. "/" .. entry)
+		end
+	end
+end
+
 local function exec_change_password(user, password, type, expire)
 	local root = os.getenv("NUAGE_FAKE_ROOTDIR")
 	local cmd = "pw "
@@ -761,6 +774,7 @@ local n = {
 	addgroup = addgroup,
 	addsshkey = addsshkey,
 	update_sshd_config = update_sshd_config,
+	delete_ssh_host_keys = delete_ssh_host_keys,
 	chpasswd = chpasswd,
 	pkg_bootstrap = pkg_bootstrap,
 	install_package = install_package,
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
index fc8d9582b9c6..166c3503735a 100755
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -502,6 +502,28 @@ local function ssh_pwauth(obj)
 	nuage.update_sshd_config("PasswordAuthentication", value)
 end
 
+local function ssh_deletekeys(obj)
+	if obj.ssh_deletekeys == nil then return end
+	if obj.ssh_deletekeys then
+		nuage.delete_ssh_host_keys(root)
+	end
+end
+
+local function disable_root(obj)
+	if obj.disable_root == nil then return end
+	if obj.disable_root then
+		local value = "no"
+		if obj.disable_root_opts then
+			if type(obj.disable_root_opts) == "string" then
+				value = obj.disable_root_opts
+			elseif type(obj.disable_root_opts) == "table" then
+				value = obj.disable_root_opts[1]
+			end
+		end
+		nuage.update_sshd_config("PermitRootLogin", value)
+	end
+end
+
 local function runcmd(obj)
 	if obj.runcmd == nil then return end
 	local f = nil
@@ -776,8 +798,10 @@ elseif line == "#cloud-config" then
 		settimezone,
 		groups,
 		create_default_user,
+		ssh_deletekeys,
 		ssh_keys,
 		network_config,
+		disable_root,
 		ssh_pwauth,
 		runcmd,
 		write_files_not_deferred,
diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7
index 9651abba868f..08a64b11ff58 100644
--- a/libexec/nuageinit/nuageinit.7
+++ b/libexec/nuageinit/nuageinit.7
@@ -164,6 +164,12 @@ will be used as the name of the group, the
 .Qq Ar value
 is expected to be a list of members (array), specified by name.
 .El
+.It Ic ssh_deletekeys
+Boolean which determines if the existing SSH host keys in
+.Pa /etc/ssh
+should be removed on first boot.
+New host keys will be generated automatically by
+.Xr sshd 8 .
 .It Ic ssh_keys
 An object of multiple key/values,
 .Qq Cm keys
@@ -183,6 +189,30 @@ boolean which determines the value of the
 .Qq Ic PasswordAuthentication
 configuration in
 .Pa /etc/ssh/sshd_config
+.It Ic disable_root
+Boolean which determines if root login via SSH should be disabled.
+If set to
+.Ar true ,
+sets
+.Qq Ic PermitRootLogin
+to
+.Ar no
+.Pq or the value specified in Ic disable_root_opts
+in
+.Pa /etc/ssh/sshd_config .
+.It Ic disable_root_opts
+String or array of options used to set the value of
+.Qq Ic PermitRootLogin
+in
+.Pa /etc/ssh/sshd_config ,
+when
+.Ic disable_root
+is set to
+.Ar true .
+If not specified, defaults to
+.Ar no .
+.Pp
+Only the first value is used when an array is provided.
 .It Ic network
 Network configuration parameters.
 .Pp
@@ -410,6 +440,8 @@ package_update: true
 package_upgrade: true
 runcmd:
   - logger -t nuageinit "boot finished"
+ssh_deletekeys: true
+disable_root: true
 ssh_keys:
   ed25519_private: |
     -----BEGIN OPENSSH PRIVATE KEY-----