feat(debos/rootfs): add openssh-server and disable it by default.

Add the openssh server to support external ssh connections, disable it by
default, and add a sanity check to error out if ssh host keys are generated
during build or install, preventing unintended remote access and shipping
pre-generated ssh identities.

Signed-off-by: Niranjan Vemana <nvemana@qti.qualcomm.com>

Author: vemana1niranjan

README.md

@@ -263,6 +263,8 @@ Once the image has booted, you can log in as the `debian` user, with the
 default `debian` password. The image should then ask you to change this default
 password to a safe one.
 
+Note: "openssh server is installed but disabled by default; enable with "systemctl enable --now ssh" as root user".
+
 ## Development
 
 Want to join in the development? Changes welcome! See [CONTRIBUTING.md file](CONTRIBUTING.md) for step by step instructions.

debos-recipes/qualcomm-linux-debian-rootfs.yaml

@@ -200,6 +200,8 @@ actions:
       # convenience networking commands (arp, ifconfig, route etc.)
       - net-tools
       - openssh-client
+      # disabled by default
+      - openssh-server
       # lspci
       - pciutils
       - rfkill
@@ -212,6 +214,19 @@ actions:
       - vulkan-tools
       - wget
 
+  - action: run
+    description: Disable ssh by default and sanitize ssh keys
+    chroot: true
+    command: |
+      set -eux
+      systemctl disable --now ssh
+      for keyfile in /etc/ssh/ssh_host_*_key; do
+        if [ -f ${keyfile} ]; then
+          echo "ERROR: SSH host key ($(basename ${keyfile})) was unexpectedly generated" >&2
+          exit 1
+        fi
+      done
+
   - action: run
     description: Add default user to docker group
     chroot: true