Custom promise type for managing global sshd configuration

Ticket: ENT-13797
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

Author: larsewi

cfbs.json

@@ -302,6 +302,15 @@
         "append enable.cf services/init.cf"
       ]
     },
+    "promise-type-sshd": {
+      "description": "Promise type to configure sshd.",
+      "subdirectory": "promise-types/sshd",
+      "dependencies": ["library-for-promise-types-in-python"],
+      "steps": [
+        "copy sshd_promise_type.py modules/promises/",
+        "append enable.cf services/init.cf"
+      ]
+    },
     "promise-type-systemd": {
       "description": "Promise type to manage systemd services.",
       "subdirectory": "promise-types/systemd",

promise-types/sshd/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Northern.tech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

promise-types/sshd/README.md

@@ -0,0 +1,63 @@
+# `sshd` promise type
+
+Configures sshd and restarts the service when configuration changes.
+
+## Promiser
+The sshd configuration keyword to manage (e.g. `PermitRootLogin`, `AllowUsers`).
+Each promise manages a single directive in the drop-in config file.
+
+## Attributes
+- `value` (required) — the value for the directive, either a string or an slist
+
+## What the module manages internally
+1. **Include directive** — ensures the base `sshd_config` includes the drop-in directory (`sshd_config.d/`) as its first non-comment directive
+2. **Drop-in directory** — creates the drop-in directory if it doesn't exist
+3. **Drop-in file** — writes directives to `sshd_config.d/00-cfengine.conf`
+4. **Service restart** — restarts sshd if configuration was changed and the service is already running
+5. **Verification** — verifies the desired directive appears in the effective sshd config (`sshd -T`)
+
+## Conflicting promisers
+Having multiple promises with the same sshd keyword is not recommended.
+In case of conflicting promisers, the agent will attempt to converge the correct state for each one in the order they are evaluated.
+This means the last promise wins and determines the final value in the configuration file.
+It will also cause multiple restarts of the sshd service, which may be disruptive.
+
+## What the module does NOT do
+- Install sshd — that is a `packages:` promise
+- Ensure sshd is running — that is a `services:` promise
+- Manage match blocks — those are a policy-level concern
+
+## Policy
+```cf3
+bundle agent sshd_config
+{
+  packages:
+    "openssh-server" policy => "present";
+
+  services:
+    "sshd" service_policy => "start";
+
+  vars:
+    "allowed_users" slist => { "alice", "bob" };
+
+  sshd:
+    "PermitRootLogin" value => "no";
+    "PasswordAuthentication" value => "no";
+    "Port" value => "22";
+    "AllowUsers" value => @(allowed_users);
+}
+```
+
+## Authors
+
+This software was created by the team at [Northern.tech](https://northern.tech), with many contributions from the community.
+Thanks everyone!
+
+## Contribute
+
+Feel free to open pull requests to expand this documentation, add features, or fix problems.
+You can also pick up an existing task or file an issue in [our bug tracker](https://northerntech.atlassian.net/).
+
+## License
+
+This software is licensed under the MIT License. See LICENSE in the root of the repository for the full license text.

promise-types/sshd/enable.cf

@@ -0,0 +1,6 @@
+promise agent sshd
+# @brief Define sshd promise type
+{
+  path => "$(sys.workdir)/modules/promises/sshd_promise_type.py";
+  interpreter => "/usr/bin/python3";
+}

promise-types/sshd/example.cf

@@ -0,0 +1,30 @@
+promise agent sshd
+# @brief Define sshd promise type
+{
+  path => "$(sys.workdir)/modules/promises/sshd_promise_type.py";
+  interpreter => "/usr/bin/python3";
+}
+
+bundle agent example
+{
+  packages:
+    "openssh-server" policy => "present";
+
+  services:
+    "sshd" service_policy => "start";
+
+  vars:
+    "allowed_users" slist => { "alice", "bob" };
+
+  sshd:
+    "PermitRootLogin" value => "no";
+    "PasswordAuthentication" value => "no";
+    "Port" value => "22";
+    "AllowUsers" value => @(allowed_users);
+}
+
+bundle agent __main__
+{
+  methods:
+    "example";
+}