install: add --no-sshd argument (MR 2030)

Allow to disable the sshd service in the target OS, and note at the end of the installation whether sshd is enabled or not.
2021-02-13 12:00:43 +01:00 · 2021-02-13 12:00:43 +01:00 · 5b01a18cba
parent 94544b8435
commit 5b01a18cba
2 changed files with 44 additions and 0 deletions
--- a/pmb/install/_install.py
+++ b/pmb/install/_install.py
@ -323,6 +323,43 @@ def setup_hostname(args):
    pmb.chroot.root(args, ["sed", "-i", "-e", regex, "/etc/hosts"], suffix)


+def disable_sshd(args):
+    if not args.no_sshd:
+        return
+
+    # check=False: rc-update doesn't exit with 0 if already disabled
+    suffix = f"rootfs_{args.device}"
+    pmb.chroot.root(args, ["rc-update", "del", "sshd", "default"], suffix,
+                    check=False)
+
+    # Verify that it's gone
+    sshd_files = pmb.helpers.run.root(
+        args, ["find", "-name", "sshd"], output_return=True,
+        working_dir=f"{args.work}/chroot_{suffix}/etc/runlevels")
+    if sshd_files:
+        raise RuntimeError(f"Failed to disable sshd service: {sshd_files}")
+
+
+def print_sshd_info(args):
+    logging.info("*** SSH DAEMON INFORMATION ***")
+
+    if not args.ondev_no_rootfs:
+        if args.no_sshd:
+            logging.info("SSH daemon is disabled (--no-sshd).")
+        else:
+            logging.info("SSH daemon is enabled (disable with --no-sshd).")
+            logging.info(f"Login as '{args.user}' with the password given"
+                         " during installation.")
+
+    if args.on_device_installer:
+        # We don't disable sshd in the installer OS. If the device is reachable
+        # on the network by default (e.g. Raspberry Pi), one can lock down the
+        # installer OS down by disabling the debug user (see wiki page).
+        logging.info("SSH daemon is enabled in the installer OS, to allow"
+                     " debugging the installer image.")
+        logging.info("More info: https://postmarketos.org/ondev-debug")
+
+
 def embed_firmware(args, suffix):
    """
    This method will embed firmware, located at /usr/share, that are specified
@ -725,6 +762,8 @@ def create_device_rootfs(args, step, steps):
    # Set the hostname as the device name
    setup_hostname(args)

+    disable_sshd(args)
+

 def install(args):
    # Sanity checks
@ -767,3 +806,4 @@ def install(args):
        install_system_image(args, 0, f"rootfs_{args.device}", step, steps,
                             split=args.split, sdcard=args.sdcard)
    print_flash_info(args)
+    print_sshd_info(args)
--- a/pmb/parse/arguments.py
+++ b/pmb/parse/arguments.py
@ -50,6 +50,10 @@ def arguments_install(subparser):
    ret = subparser.add_parser("install", help="set up device specific"
                               " chroot and install to SD card or image file")

+    # Other arguments (that don't fit categories below)
+    ret.add_argument("--no-sshd", action="store_true",
+                     help="do not enable the SSH daemon by default")
+
    # Image type
    group_desc = ret.add_argument_group(
        "optional image type",