Block ssh password login in the installer

[tomli380576]

for when we manually install images

[Copilot]

Pull request overview

Adds an installer step to disable SSH password authentication and guide QA users toward SSH key-based access.

Changes:

• Updates the installer script messaging/formatting and adds an SSH hardening step (import QA keys + disable password auth).
• Adds a new Python helper to write an sshd_config.d drop-in that disables PasswordAuthentication.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
Tools/PC/oem-qa-checkbox-installer/oem-qa-checkbox-installer.sh	Adds ssh key import + calls helper to block SSH password login, plus minor wording/indent changes.
Tools/PC/oem-qa-checkbox-installer/bin/block-ssh-pswd-login.py	New helper intended to write PasswordAuthentication no into an sshd drop-in config file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ssh-import-id calls are not error-checked, and ssh-import-id ce-certification-qa isn’t chained with && like the first one. If ssh-import-id is missing or the import fails, the script will continue without making it obvious that no keys were installed; add a command existence check and handle failures consistently (fail fast or print a clear warning).

Suggested change

	ssh-import-id ceqa && echo "Imported 'ceqa' SSH key for QA login"
	ssh-import-id ce-certification-qa
	if ! command -v ssh-import-id >/dev/null 2>&1; then
	echo "Warning: 'ssh-import-id' command not found. Skipping QA SSH key import."
	else
	ssh-import-id ceqa && echo "Imported 'ceqa' SSH key for QA login" || \
	echo "Warning: Failed to import 'ceqa' SSH key for QA login."
	ssh-import-id ce-certification-qa && echo "Imported 'ce-certification-qa' SSH key for QA login" || \
	echo "Warning: Failed to import 'ce-certification-qa' SSH key for QA login."
	fi

[Copilot]

Blocking password auth by updating sshd config won’t affect the currently running sshd until it’s reloaded/restarted. Since the installer allows exiting without rebooting, consider reloading sshd after successfully writing the config (and surface any reload failure).

Suggested change

	./bin/block-ssh-pswd-login.py &&
	echo -e "[ OK ] SSH password login has been blocked. \e[31mUse 'ssh-import-id' to import your own SSH keys.\e[0m"
	if ./bin/block-ssh-pswd-login.py; then
	echo -e "[ OK ] SSH password login has been blocked. \e[31mUse 'ssh-import-id' to import your own SSH keys.\e[0m"
	# Reload SSH daemon so that configuration changes take effect immediately
	if command -v systemctl >/dev/null 2>&1; then
	if sudo systemctl reload sshd >/dev/null 2>&1 || sudo systemctl reload ssh >/dev/null 2>&1; then
	echo "[ OK ] SSH daemon reloaded to apply configuration changes."
	else
	echo "[ WARN ] Failed to reload SSH daemon via systemctl; password login may remain enabled until reboot or manual reload."
	fi
	elif command -v service >/dev/null 2>&1; then
	if sudo service sshd reload >/dev/null 2>&1 || sudo service ssh reload >/dev/null 2>&1; then
	echo "[ OK ] SSH daemon reloaded to apply configuration changes."
	else
	echo "[ WARN ] Failed to reload SSH daemon via service; password login may remain enabled until reboot or manual reload."
	fi
	else
	echo "[ WARN ] Could not find a command to reload the SSH daemon; password login may remain enabled until reboot or manual reload."
	fi
	else
	echo "[ ERROR ] Failed to update SSH configuration to block password logins."
	fi

[Copilot]

block-ssh-pswd-login.py exits unless run as root (it checks os.getuid() != 0), but this installer explicitly refuses to run as root and invokes the script without sudo. As written, the blocking step will always fail; invoke the script via sudo (or change the helper to perform privileged writes via sudo).

Suggested change

	./bin/block-ssh-pswd-login.py &&
	sudo ./bin/block-ssh-pswd-login.py &&

[hanhsuan]

LGTM