agama-project · jreidinger · Feb 19, 2025 · Feb 3, 2025 · Feb 4, 2025 · Feb 4, 2025
diff --git a/products.d/agama-products.changes b/products.d/agama-products.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb 19 14:16:28 UTC 2025 - Josef Reidinger <jreidinger@suse.com>
+
+- Add sudo-policy-wheel-auth-self package as mandatory for products
+  that do not do it automatic to allow just non-root user for
+  initial login (jsc#PM-2128)
+
 -------------------------------------------------------------------
 Thu Feb 13 11:19:19 UTC 2025 - Lubos Kocman <lubos.kocman@suse.com>
 

diff --git a/products.d/sles_160.yaml b/products.d/sles_160.yaml
@@ -74,6 +74,7 @@ software:
     - sles_minimal_sap
   mandatory_packages:
     - NetworkManager
+    - sudo-policy-wheel-auth-self # explicit wheel group policy to conform new auth model
   optional_packages: null
   base_product: SLES
 

diff --git a/products.d/sles_sap_160.yaml b/products.d/sles_sap_160.yaml
@@ -44,6 +44,7 @@ software:
     - sles_sap_gui
   mandatory_packages:
     - NetworkManager
+    - sudo-policy-wheel-auth-self # explicit wheel group policy to conform new auth model
   optional_packages: null
   base_product: SLES_SAP
 

diff --git a/products.d/slowroll.yaml b/products.d/slowroll.yaml
@@ -61,6 +61,7 @@ software:
   mandatory_packages:
     - NetworkManager
     - openSUSE-repos-Slowroll
+    - sudo-policy-wheel-auth-self # explicit wheel group policy to conform new auth model
   optional_packages: null
   base_product: openSUSE
 

diff --git a/products.d/tumbleweed.yaml b/products.d/tumbleweed.yaml
@@ -112,6 +112,7 @@ software:
   mandatory_packages:
     - NetworkManager
     - openSUSE-repos-Tumbleweed
+    - sudo-policy-wheel-auth-self # explicit wheel group policy to conform new auth model
   optional_packages: null
   base_product: openSUSE
 

diff --git a/service/lib/agama/users.rb b/service/lib/agama/users.rb
@@ -23,10 +23,13 @@
 require "y2users"
 require "y2users/linux" # FIXME: linux is not in y2users file
 require "yast2/execute"
+require "y2firewall/firewalld"
 require "agama/helpers"
 require "agama/issue"
 require "agama/with_issues"
 
+Yast.import "Service"
+
 module Agama
   # Backend class using YaST code.
   #
@@ -118,6 +121,8 @@ def assign_first_user(full_name, user_name, password, hashed_password, auto_logi
       return fatal_issues.map(&:message) unless fatal_issues.empty?
 
       config.attach(user)
+      add_user_to_group(user_name, "wheel")
+
       config.login ||= Y2Users::LoginConfig.new
       config.login.autologin_user = auto_login ? user : nil
       update_issues
@@ -134,6 +139,12 @@ def remove_first_user
     def write
       without_run_mount do
         on_target do
+          # if root ssh key is specified ensure that sshd running and firewall has port opened
+          enable_ssh if root_ssh_key?
+
+          # disable root password if not set
+          assign_root_password("!", true) unless root_password?
+
           system_config = Y2Users::ConfigManager.instance.system(force_read: true)
           target_config = system_config.copy
           Y2Users::ConfigMerger.new(target_config, config).merge
@@ -200,5 +211,20 @@ def root_user
       config.attach(@root_user)
       @root_user
     end
+
+    def enable_ssh
+      logger.info "root SSH public key is set, enabling sshd and opening the firewall"
+      Yast::Service.Enable("sshd")
+      firewalld = Y2Firewall::Firewalld.instance
+      # open port only if firewalld is installed, otherwise it will crash
+      firewalld.api.add_service(firewalld.default_zone, "ssh") if firewalld.installed?
+    end
+
+    def add_user_to_group(user_name, group_name)
+      group = config.groups.by_name(group_name)
+      group ||= Y2Users::Group.new(group_name)
+      group.users_name << user_name
+      config.attach(group) unless group.attached?
+    end
   end
 end
diff --git a/service/package/rubygem-agama-yast.changes b/service/package/rubygem-agama-yast.changes
@@ -1,8 +1,17 @@
+-------------------------------------------------------------------
+Wed Feb 19 14:21:40 UTC 2025 - Josef Reidinger <jreidinger@suse.com>
+
+- if root ssh key is used, ensure that sshd is enabled and firewall
+  has port open (jsc#PM-2128)
+- root password is explicitelly locked if not specified
+- first user will be in wheel group (jsc#PM-2128)
+
 -------------------------------------------------------------------
 Wed Feb 19 13:35:07 UTC 2025 - Ladislav Slezák <lslezak@suse.com>
 
 - UX: Improve the libzypp callbacks (gh#agama-project/agama#1985)
 
+
 -------------------------------------------------------------------
 Tue Feb 18 17:19:08 UTC 2025 - Knut Anderssen <kanderssen@suse.com>
 

diff --git a/service/test/agama/software/manager_test.rb b/service/test/agama/software/manager_test.rb
@@ -333,7 +333,9 @@
       expect(proposal).to receive(:set_resolvables)
         .with("agama", :pattern, [], { optional: true })
       expect(proposal).to receive(:set_resolvables)
-        .with("agama", :package, ["NetworkManager", "openSUSE-repos-Tumbleweed"])
+        .with("agama", :package, [
+                "NetworkManager", "openSUSE-repos-Tumbleweed", "sudo-policy-wheel-auth-self"
+              ])
       expect(proposal).to receive(:set_resolvables)
         .with("agama", :package, [], { optional: true })
       subject.propose

diff --git a/service/test/agama/users_test.rb b/service/test/agama/users_test.rb
@@ -85,6 +85,7 @@
         user = users_config.users.by_name("jane")
         expect(user.full_name).to eq("Jane Doe")
         expect(user.password).to eq(Y2Users::Password.create_plain("12345"))
+        expect(user.groups.map(&:name)).to eq(["wheel"])
       end
 
       context "when a first user exists" do
@@ -168,6 +169,34 @@
       subject.write
     end
 
+    context "when a SSH public key for the root user is given" do
+      let(:firewalld) do
+        Y2Firewall::Firewalld.instance
+      end
+
+      before do
+        subject.root_ssh_key = "ssh-rsa ..."
+        allow(firewalld).to receive(:installed?).and_return(true)
+      end
+
+      it "enables the sshd service" do
+        expect(Yast::Service).to receive(:Enable).with("sshd")
+        expect(firewalld.api).to receive(:add_service).with(firewalld.default_zone, "ssh")
+        subject.write
+      end
+    end
+
+    context "when no SSH public key is given" do
+      before do
+        subject.assign_root_password("", false)
+      end
+
+      it "disables the root password" do
+        expect(subject).to receive(:assign_root_password).with("!", true)
+        subject.write
+      end
+    end
+
     context "if some issue occurs" do
       let(:issues) { [double("issue")] }