feat(debos/rootfs): add openssh-server and disable it by default.

Install openssh-server for convenience while ensuring it is disabled by
default. Remove host keys generated during build and add a sanity check
to prevent shipping images with pre-generated SSH keys.

Signed-off-by: Niranjan Vemana <nvemana@qti.qualcomm.com>

Author: vemana1niranjan

README.md

@@ -263,6 +263,8 @@ Once the image has booted, you can log in as the `debian` user, with the
 default `debian` password. The image should then ask you to change this default
 password to a safe one.
 
+Note: "openssh server is installed but disabled by default; enable with "systemctl enable --now ssh" as root user".
+
 ## Development
 
 Want to join in the development? Changes welcome! See [CONTRIBUTING.md file](CONTRIBUTING.md) for step by step instructions.

debos-recipes/qualcomm-linux-debian-rootfs.yaml

@@ -200,6 +200,8 @@ actions:
       # convenience networking commands (arp, ifconfig, route etc.)
       - net-tools
       - openssh-client
+      # disabled by default
+      - openssh-server
       # lspci
       - pciutils
       - rfkill
@@ -212,6 +214,18 @@ actions:
       - vulkan-tools
       - wget
 
+  - action: run
+    description: Disable ssh by default and sanitize ssh keys
+    chroot: true
+    command: |
+      set -eux
+      systemctl disable ssh
+      if [ -f /etc/ssh/ssh_host_* ]; then
+        echo "ERROR: SSH host keys were unexpectedly generated" >&2
+        exit 1
+      fi
+      rm -rf /home/*/.ssh
+
   - action: run
     description: Add default user to docker group
     chroot: true