From f4d5f73cfa82a72e3cd967ba4c8c8e7012d3f691 Mon Sep 17 00:00:00 2001
From: Alberto Contreras <alberto.contreras@canonical.com>
Date: Sat, 6 Aug 2022 00:31:42 +0200
Subject: ssh_util: Handle sshd_config.d folder

Write sshd config to /etc/ssh/sshd_config.d/50-cloud-init.conf
if the sshd_config sources sshd_config.d

LP: #1968873
---
 cloudinit/ssh_util.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'cloudinit/ssh_util.py')

diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
index ab4c63aa..5bbbc724 100644
--- a/cloudinit/ssh_util.py
+++ b/cloudinit/ssh_util.py
@@ -544,11 +544,28 @@ def parse_ssh_config_map(fname):
     return ret
 
 
+def _includes_dconf(fname: str) -> bool:
+    if not os.path.isfile(fname):
+        return False
+    with open(fname, "r") as f:
+        for line in f:
+            if line.startswith(f"Include {fname}.d/*.conf"):
+                return True
+    return False
+
+
 def update_ssh_config(updates, fname=DEF_SSHD_CFG):
     """Read fname, and update if changes are necessary.
 
     @param updates: dictionary of desired values {Option: value}
     @return: boolean indicating if an update was done."""
+    if _includes_dconf(fname):
+        if not os.path.isdir(f"{fname}.d"):
+            util.ensure_dir(f"{fname}.d", mode=0o755)
+        fname = os.path.join(f"{fname}.d", "50-cloud-init.conf")
+        if not os.path.isfile(fname):
+            # Ensure root read-only:
+            util.ensure_file(fname, 0o600)
     lines = parse_ssh_config(fname)
     changed = update_ssh_config_lines(lines=lines, updates=updates)
     if changed:
-- 
cgit v1.2.1