Add build-time option to disable root SSH access

[mihai-chiorean]

Description

Add a configuration variable in local.conf that can disable SSH root login for security purposes. This should be a build-time option that allows users to create more secure production images.

Requirements

• Add an environment variable (e.g., EDGEOS_DISABLE_ROOT_SSH) in local.conf
• When enabled, prevent ssh root@edgeos-device.local access
• Should still allow non-root user SSH access if configured
• Must be configurable at build time, not runtime

Suggested Implementation

1. Add to local.conf.sample:

   # Disable root SSH access (0 = allow, 1 = disable)
   # EDGEOS_DISABLE_ROOT_SSH = "1"

2. Create OpenSSH bbappend:

   # meta-edgeos/recipes-connectivity/openssh/openssh_%.bbappend
   do_install:append() {
       if [ "${EDGEOS_DISABLE_ROOT_SSH}" = "1" ]; then
           sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' ${D}${sysconfdir}/ssh/sshd_config
       fi
   }

3. Alternative: Manage via edgeos-user recipe

   • Configure SSH settings based on the variable
   • Potentially create alternative admin user when root is disabled

Security Considerations

• Document that disabling root SSH requires alternative access method
• Consider requiring creation of admin user when root SSH is disabled
• Ensure serial console access remains available for recovery

Acceptance Criteria

• EDGEOS_DISABLE_ROOT_SSH variable documented in local.conf.sample
• When set to "1", root SSH login is disabled
• When set to "0" or unset, root SSH login is allowed (current behavior)
• SSH daemon configuration properly updated during build
• Documentation updated with security recommendations

[mihai-chiorean]

#38