SSH is installed but disabled by default, and keys are sanitized with a sanity check.

vemana1niranjan · vemana1niranjan · commit 457a580d5d8e · 2026-04-08T15:00:06.000+05:30
debos: install openssh-server disabled-by-default and sanitize SSH keys

Install openssh-server for convenience while ensuring it is disabled by
default. Remove host keys generated during build and add a sanity check
to prevent shipping images with pre-generated SSH keys.

Signed-off-by: Niranjan &lt;nvemana@qti.qualcomm.com&gt;
diff --git a/README.md b/README.md
@@ -148,6 +148,7 @@ For the flash recipe:
 - `target_boards`: comma-separated list of board names to build (default: `all`). Accepted values are the board names defined in the flash recipe, e.g. `qcs615-ride`, `qcs6490-rb3gen2-vision-kit`, `qcs8300-ride`, `qcs9100-ride-r3`, `qrb2210-rb1`.
 
 Note: Boards whose required device tree (.dtb) is not present in `dtbs.tar.gz` are automatically skipped during flash asset generation.
+Note: "A SSH server is installed but disabled by default; enable with sudo systemctl enable ssh".
 
 Deprecated flash options:
 - `build_qcs615`, `build_qcm6490`, `build_qcs8300`, `build_qcs9100`, `build_rb1`: these per-family/per-board toggles are deprecated and will be removed. Use `target_boards` instead to select which boards to build.
diff --git a/debos-recipes/qualcomm-linux-debian-rootfs.yaml b/debos-recipes/qualcomm-linux-debian-rootfs.yaml
@@ -189,6 +189,8 @@ actions:
       # convenience networking commands (arp, ifconfig, route etc.)
       - net-tools
       - openssh-client
+      # A SSH server is installed but disabled by default; enable with sudo systemctl enable ssh.
+      - openssh-server
       # lspci
       - pciutils
       - rfkill
@@ -201,6 +203,16 @@ actions:
       - vulkan-tools
       - wget
 
+  - action: run
+    description: Sanitize SSH setup
+    chroot: true
+    command: |
+      set -eux
+      rm -v /etc/ssh/ssh_host_* || true
+      # rm -rf /root/.ssh /home/*/.ssh || true
+      systemctl disable ssh 2>/dev/null || true # it's not actually started after install in the debos environment.
+      find /etc/ssh /root /home -type f \( -name 'ssh_host_*' -o -name 'id_rsa*' -o -name 'id_ed25519*' -o -name 'authorized_keys' \) -exec rm -v {} + 2>/dev/null || true
+      
   - action: run
     description: Add default user to docker group
     chroot: true
