From 6f2b8551e72596adfc685357d8471c454bd96d63 Mon Sep 17 00:00:00 2001
From: Ben Howard <ben.howard@canonical.com>
Date: Fri, 11 Sep 2015 13:38:14 -0600
Subject: Ubuntu Snappy: conditionally enable SSH on Snappy   When a user
 provides authentication tokens, enable SSH unless SSH has   been explicitly
 disabled (LP: #1494816).

---
 cloudinit/config/cc_snappy.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'cloudinit')

diff --git a/cloudinit/config/cc_snappy.py b/cloudinit/config/cc_snappy.py
index 7aaec94a..e36542bf 100644
--- a/cloudinit/config/cc_snappy.py
+++ b/cloudinit/config/cc_snappy.py
@@ -274,7 +274,20 @@ def handle(name, cfg, cloud, log, args):
             LOG.warn("'%s' failed for '%s': %s",
                      pkg_op['op'], pkg_op['name'], e)
 
-    disable_enable_ssh(mycfg.get('ssh_enabled', False))
+    # Default to disabling SSH
+    ssh_enabled = mycfg.get('ssh_enabled', False)
+
+    # If the user has not explicitly enabled or disabled SSH, then enable it
+    # when password SSH authentication is requested or there are SSH keys
+    if mycfg.get('ssh_enabled', None) is not False:
+        if len(mycfg.get('public-keys', [])) > 0:
+            LOG.debug("Enabling SSH, user SSH keys provided")
+            ssh_enabled = True
+        elif mycfg.get('ssh_pwauth', False):
+            LOG.debug("Enabling SSH, password authentication requested")
+            ssh_enabled = True
+
+    disable_enable_ssh(ssh_enabled)
 
     if fails:
         raise Exception("failed to install/configure snaps")
-- 
cgit v1.2.3


From fd6b08c4d03b07be67398450e40e7e2f91e8db51 Mon Sep 17 00:00:00 2001
From: Ben Howard <ben.howard@canonical.com>
Date: Fri, 11 Sep 2015 14:04:52 -0600
Subject: Refinements on SSH enablement

---
 cloudinit/config/cc_snappy.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'cloudinit')

diff --git a/cloudinit/config/cc_snappy.py b/cloudinit/config/cc_snappy.py
index e36542bf..899df10c 100644
--- a/cloudinit/config/cc_snappy.py
+++ b/cloudinit/config/cc_snappy.py
@@ -280,10 +280,12 @@ def handle(name, cfg, cloud, log, args):
     # If the user has not explicitly enabled or disabled SSH, then enable it
     # when password SSH authentication is requested or there are SSH keys
     if mycfg.get('ssh_enabled', None) is not False:
-        if len(mycfg.get('public-keys', [])) > 0:
+        user_ssh_keys = cloud.get_public_ssh_keys() or None
+        password_auth_enabled = cfg.get('ssh_pwauth', False)
+        if user_ssh_keys:
             LOG.debug("Enabling SSH, user SSH keys provided")
             ssh_enabled = True
-        elif mycfg.get('ssh_pwauth', False):
+        elif password_auth_enabled:
             LOG.debug("Enabling SSH, password authentication requested")
             ssh_enabled = True
 
-- 
cgit v1.2.3


From 988174dca9e4e5593b357c6def82c857f718282d Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Fri, 11 Sep 2015 16:52:26 -0400
Subject: cc_snappy: update doc string, change default to 'auto'

---
 cloudinit/config/cc_snappy.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'cloudinit')

diff --git a/cloudinit/config/cc_snappy.py b/cloudinit/config/cc_snappy.py
index 899df10c..124452c0 100644
--- a/cloudinit/config/cc_snappy.py
+++ b/cloudinit/config/cc_snappy.py
@@ -6,7 +6,7 @@ Example config:
   #cloud-config
   snappy:
     system_snappy: auto
-    ssh_enabled: False
+    ssh_enabled: auto
     packages: [etcd, pkg2.smoser]
     config:
       pkgname:
@@ -16,7 +16,12 @@ Example config:
     packages_dir: '/writable/user-data/cloud-init/snaps'
 
  - ssh_enabled:
-   This defaults to 'False'.  Set to a non-false value to enable ssh service
+   This controls the system's ssh service.  The default value is 'auto'.
+     True:  enable ssh service
+     False: disable ssh service
+     auto:  enable ssh service if either ssh keys have been provided
+            or user has requested password authentication (ssh_pwauth).
+
  - snap installation and config
    The above would install 'etcd', and then install 'pkg2.smoser' with a
    '<config-file>' argument where 'config-file' has 'config-blob' inside it.
@@ -275,19 +280,23 @@ def handle(name, cfg, cloud, log, args):
                      pkg_op['op'], pkg_op['name'], e)
 
     # Default to disabling SSH
-    ssh_enabled = mycfg.get('ssh_enabled', False)
+    ssh_enabled = mycfg.get('ssh_enabled', "auto")
 
     # If the user has not explicitly enabled or disabled SSH, then enable it
     # when password SSH authentication is requested or there are SSH keys
-    if mycfg.get('ssh_enabled', None) is not False:
+    if ssh_enabled == "auto":
         user_ssh_keys = cloud.get_public_ssh_keys() or None
         password_auth_enabled = cfg.get('ssh_pwauth', False)
         if user_ssh_keys:
-            LOG.debug("Enabling SSH, user SSH keys provided")
+            LOG.debug("Enabling SSH, ssh keys found in datasource")
             ssh_enabled = True
+        elif cfg.get('ssh_authorized_keys'):
+            LOG.debug("Enabling SSH, ssh keys found in config")
         elif password_auth_enabled:
             LOG.debug("Enabling SSH, password authentication requested")
             ssh_enabled = True
+    elif ssh_enabled not in (True, False):
+        LOG.warn("Unknown value '%s' in ssh_enabled", ssh_enabled)
 
     disable_enable_ssh(ssh_enabled)
 
-- 
cgit v1.2.3