images: add build-time option to disable root SSH access

meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend

@@ -0,0 +1,17 @@
+# meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend
+
+do_install:append() {
+    if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ]; then
+        install -d ${D}${sysconfdir}/ssh/sshd_config.d
+        cat > ${D}${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf <<'EOF'
+PermitRootLogin no
+PasswordAuthentication yes
+PermitEmptyPasswords yes
+UsePAM no
+EOF
+    fi
+}
+
+# The file is only installed when the flag is "1",
+# but it's safe to declare it in FILES regardless.
+FILES:${PN}-sshd += "${sysconfdir}/ssh/sshd_config.d/10-disable-root.conf"

meta-edgeos/recipes-core/edgeos-user/edgeos-user_1.0.bb

@@ -0,0 +1,15 @@
+SUMMARY = "Create 'admin' user (UID 1000) with home directory"
+DESCRIPTION = "Adds a non-root 'admin' user and /home/admin. Password is cleared at image time via EXTRA_USERS_PARAMS when EDGEOS_DISABLE_ROOT_SSH=1."
+LICENSE = "CLOSED"
+PR = "r0"
+
+inherit useradd
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "-u 1000 -d /home/admin -m -s /bin/bash admin"
+FILES:${PN} += "/home/admin"
+
+do_install() {
+    install -d ${D}/home/admin
+    chown -R 1000:1000 ${D}/home/admin || true
+}

meta-edgeos/recipes-core/images/edgeos-image.bb

@@ -44,6 +44,15 @@ BUILDCFG_VARS += " \
 # Disable WIC's automatic fstab updates
 WIC_CREATE_EXTRA_ARGS = "--no-fstab-update"
 
+IMAGE_INSTALL += "${@bb.utils.contains('EDGEOS_DISABLE_ROOT_SSH', '1', 'edgeos-user', '', d)}"
+
+ROOTFS_POSTPROCESS_COMMAND += "edgeos_make_admin_nopass;"
+
+edgeos_make_admin_nopass () {
+    if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ] && [ -f ${IMAGE_ROOTFS}/etc/shadow ]; then
+        sed -i 's/^admin:[^:]*:/admin::/' ${IMAGE_ROOTFS}/etc/shadow || true
+    fi
+}
 # Provider for 'hostname' required by avahi-daemon
 IMAGE_INSTALL:append = " inetutils-hostname"