debos: install and enable openssh-server for SSH access#348
debos: install and enable openssh-server for SSH access#348vemana1niranjan wants to merge 1 commit intoqualcomm-linux:mainfrom
Conversation
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
2 times, most recently
from
3b83f17 to
523ff2c
Compare
Test jobs for commit 1b5bee5 |
Test jobs for commit 3b83f17 |
gagath
left a comment
gagath
left a comment
There was a problem hiding this comment.
Makes sense to me, this avoids using the serial port to install a ssh server. This will also be useful when we move our qemu tests from expect to something a bit more robust.
Test jobs for commit 523ff2c |
|
While I would like to see SSH supported and that might be useful for testing as well, this doesn't combine well with our default password. Could we compile what our other images do by default? If we had something like cloud-init, we could install but disable SSH and turn it on through c-i. Or we could leave it on but have no password to login, and let people set that up through c-i. It would also be nice to have a simple check to ensure we don't include SSH keys in the resulting images. |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
523ff2c to
e0b53da
Compare
Test jobs for commit e0b53da |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
e0b53da to
72ef751
Compare
Test jobs for commit 72ef751 |
recent update to PR making this .is this good |
lool
left a comment
lool
left a comment
There was a problem hiding this comment.
Left various proposed improvements; coud you also add a commit message and fixed your signed-off-by to use your full name?
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
72ef751 to
457a580
Compare
Test jobs for commit 457a580 |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
457a580 to
4919cb4
Compare
Test jobs for commit 4919cb4 |
| # convenience networking commands (arp, ifconfig, route etc.) | ||
| - net-tools | ||
| - openssh-client | ||
| # A SSH server is installed but disabled by default; enable with sudo systemctl enable ssh. |
There was a problem hiding this comment.
There's a comment only when the package name doesn't make it obvious; here, an insightful comment would be "disabled by default after install"
Could you also cover that in a README update? "A SSH server is installed but disabled by default; enable with `sudo systemctl enable "
lool
left a comment
lool
left a comment
There was a problem hiding this comment.
I'm not sure why my review wasn't fully sent
Test jobs for commit 36db5d4 |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
36db5d4 to
6a31c3a
Compare
Test jobs for commit c44e994 |
| # convenience networking commands (arp, ifconfig, route etc.) | ||
| - net-tools | ||
| - openssh-client | ||
| # OPENSSH is installed but disabled by default. |
There was a problem hiding this comment.
this is a weird way to write that name; either OpenSSH or openssh
or just write "disabled by default" since that's the only interesting part
There was a problem hiding this comment.
changed to "disabled by default"
| command: | | ||
| set -eux | ||
| rm -f /etc/ssh/ssh_host_* | ||
| rm -rf /root/.ssh /home/*/.ssh |
There was a problem hiding this comment.
Drop the root/.ssh part, there is no chance this will be generated
There was a problem hiding this comment.
removed root/.ssh part kept the /home/*/.ssh
| - wget | ||
|
|
||
| - action: run | ||
| description: Sanitize SSH keys |
There was a problem hiding this comment.
This action is about disabling SSH by default; update the description to match
There was a problem hiding this comment.
changed description to "Disable ssh by default and sanitize ssh keys"
| chroot: true | ||
| command: | | ||
| set -eux | ||
| rm -f /etc/ssh/ssh_host_* |
There was a problem hiding this comment.
Change this to check if the keys are present and fail if so; we don't want a silent removal, we want to escalate the issue if these keys were somehow generated.
Also, move this logic to AFTER disabling and potentially stopping the service.
There was a problem hiding this comment.
made change logic starts after disabling if found printing error mesg in rootfs generation part and forcely exiting rootfs generation
| set -eux | ||
| rm -f /etc/ssh/ssh_host_* | ||
| rm -rf /root/.ssh /home/*/.ssh | ||
| systemctl disable ssh 2>/dev/null || true |
There was a problem hiding this comment.
Try to pass --now as well as that seems stricter.
Don't ignore failure, or explain why we want to run it if it's expected to fail.
There was a problem hiding this comment.
tried to add --now but
flag fails because systemd is not running in the chroot build environment
| `qcs9100-ride-r3`, `qrb2210-rb1`. | ||
|
|
||
| Note: Boards whose required device tree (.dtb) is not present in `dtbs.tar.gz` are automatically skipped during flash asset generation. | ||
| Note: "A SSH server is installed but disabled by default; enable with sudo systemctl enable ssh". |
There was a problem hiding this comment.
This is the wrong place to add this change; look at the whole README and find the place which makes the most sense. I would place it near the login instructions since this is a note about usage.
There was a problem hiding this comment.
adding at login instructions
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
c44e994 to
b66dbf7
Compare
Test jobs for commit b66dbf7 |
Test jobs for commit 6067689 |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
6067689 to
fd8d793
Compare
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
fd8d793 to
c03842e
Compare
Test jobs for commit fd8d793 |
Test jobs for commit c03842e |
lool
left a comment
lool
left a comment
There was a problem hiding this comment.
Hi, some shell syntax issues
Please update the commit message to reflect the latest changes
| echo "ERROR: SSH host keys were unexpectedly generated" >&2 | ||
| exit 1 | ||
| fi | ||
| rm -rf /home/*/.ssh |
There was a problem hiding this comment.
Please drop this rm, no chance of being created during build (otherwise it should be a check as above)
| command: | | ||
| set -eux | ||
| systemctl disable ssh | ||
| if [ -f /etc/ssh/ssh_host_* ]; then |
There was a problem hiding this comment.
if this expands to multiple files, the test command will be incorrect
| chroot: true | ||
| command: | | ||
| set -eux | ||
| systemctl disable ssh |
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
c03842e to
728ad14
Compare
| chroot: true | ||
| command: | | ||
| set -eux | ||
| systemctl disable ssh --now |
There was a problem hiding this comment.
This might work, but it's an unusual position for flags; disable --now ssh instead
There was a problem hiding this comment.
even this "systemctl disable --now ssh" local build failing with this error message
msg : --now cannot be used when systemd is not running.
There is interesting observation below in trixie build fails with same error and in forky build this error was not found
so shall i remove --now?
There was a problem hiding this comment.
There seems to be conflicting situations in your attempts; you report commands fail because systemd is not running (and indeed, then --now makes no sense, I can see why systemd would reject it, and we should drop it), but some recent failures also show that --now is accepted, and that the SSH keys were generated, which suggest that we're in the opposite situation:
2026/04/29 10:53:34 ==== Disable ssh by default and sanitize ssh keys ====
2026/04/29 10:53:34 set -eux... | + systemctl disable --now ssh
2026/04/29 10:53:34 set -eux... | Removed '/etc/systemd/system/multi-user.target.wants/ssh.service'.
2026/04/29 10:53:34 set -eux... | Removed '/etc/systemd/system/sshd.service'.
2026/04/29 10:53:34 set -eux... | + [ -f /etc/ssh/ssh_host_ecdsa_key ]
2026/04/29 10:53:34 set -eux... | + basename /etc/ssh/ssh_host_ecdsa_key
2026/04/29 10:53:34 set -eux... | + echo ERROR: SSH host key (ssh_host_ecdsa_key) was unexpectedly generated
I'm not clear on when/how debos is preventing systemd from running, I would expect most image generation tools to work in chroots and disable system services entirely though some kind of policy files or replacing the binaries.
It's risky for us to run daemons such as SSH during image generation because we might end up with keys or ids that were generated once and are distributed everywhere, when they are supposed to be private or unique and generated on the first boot after flashing.
| command: | | ||
| set -eux | ||
| systemctl disable ssh --now | ||
| if [ -f /etc/ssh/ssh_host_rsa_key ] || [ -f /etc/ssh/ssh_host_ecdsa_key ] || [ -f /etc/ssh/ssh_host_ed25519_key ]; then |
There was a problem hiding this comment.
This is not robust against addition of key types in the future...
There was a problem hiding this comment.
tried to add a generic loop over ssh_host_*_key
but observations are host keys are always copied in initial ssh-server package during debos install
so, removing them forcefully might be needed with (rm)
else build will always fail
is there any alternative way?
There was a problem hiding this comment.
tried to add a generic loop over ssh_host_*_key
but observations are host keys are always copied in initial ssh-server package during debos install so, removing them forcefully might be needed with (rm)
else build will always fail is there any alternative way?
this requires researching why in debos openssh is being started and generates keys; I believe it shouldn't
Add the openssh server to support external ssh connections, disable it by default, and add a sanity check to error out if ssh host keys are generated during build or install, preventing unintended remote access and shipping pre-generated ssh identities. Signed-off-by: Niranjan Vemana <nvemana@qti.qualcomm.com>
vemana1niranjan
force-pushed
the
feature/add_packages_openssh_server
branch
from
728ad14 to
7e9bb29
Compare
| set -eux | ||
| systemctl disable --now ssh | ||
| for keyfile in /etc/ssh/ssh_host_*_key; do | ||
| if [ -f ${keyfile} ]; then |
There was a problem hiding this comment.
This shell snippet is slightly broken, on some shells it will result in an error if the files are missing; on bash, it will expand to run the loop once with keyfile=/etc/ssh/ssh_host_*_key. Then the [ -f test call will try the same missing expansion again. It's very confusion and an unorthodox way of testing for the presence of a pattern of files.
Instead, I'd recommend using "find".
Add quotes around the keyfile use, it shouldn't be wildcard-expanded again.
3 participants
Install openssh-server and enable the ssh service during image build so SSH access is available immediately after first boot.