Amend password and sshd logic to support Mariner OS (#156)

* Adding OS check to support other distros with different sshd configuration paths

* Altering update logic for Mariner -- rename causing linking device issue as file moves and it can't find it

* Refactor SSH configuration logic to dynamically select the appropriate configuration path based on filesystem structure and replace distro-specific file operations with universal temp file handling using copy/remove_file.

* Refactor update_sshd_config logic: eliminate temp files, simplify write process

Replaced tempfile-based logic with direct file operations for updating sshd_config.
The function now reads the file, updates or appends the necessary configuration,
and writes it back securely with appropriate permissions (0o600). This simplifies
the implementation and avoids potential cross-device issues with temporary files.

* Removing temp dependency

* Amending config line to make it clear the PasswordAuthentication was added by azure-init, and removing the file permissions settings

* Adding another added by azure-init comment and making sure file permissions line is deleted.

Author: peytonr18

libazureinit/Cargo.toml

@@ -23,7 +23,6 @@ fstab = "0.4.0"
 toml = "0.8"
 regex = "1"
 lazy_static = "1.4"
-tempfile = "3.3.0"
 figment = { version = "0.10", features = ["toml"] }
 
 [dev-dependencies]

libazureinit/src/provision/password.rs

@@ -3,6 +3,8 @@
 
 use std::process::Command;
 
+use std::path::PathBuf;
+
 use tracing::instrument;
 
 use crate::{error::Error, User};
@@ -21,10 +23,21 @@ impl PasswordProvisioner {
     }
 }
 
+// Determines the appropriate SSH configuration file path based on the filesystem.
+// If the "/etc/ssh/sshd_config.d" directory exists, it returns the path for a drop-in configuration file.
+// Otherwise, it defaults to the main SSH configuration file at "/etc/ssh/sshd_config".
+fn get_sshd_config_path() -> &'static str {
+    if PathBuf::from("/etc/ssh/sshd_config.d").is_dir() {
+        "/etc/ssh/sshd_config.d/50-azure-init.conf"
+    } else {
+        "/etc/ssh/sshd_config"
+    }
+}
+
 #[instrument(skip_all)]
 fn passwd(user: &User) -> Result<(), Error> {
     // Update the sshd configuration to allow password authentication.
-    let sshd_config_path = "/etc/ssh/sshd_config.d/50-azure-init.conf";
+    let sshd_config_path = get_sshd_config_path();
     if let Err(error) = update_sshd_config(sshd_config_path) {
         tracing::error!(
             ?error,

libazureinit/src/provision/ssh.rs

@@ -13,14 +13,13 @@ use nix::unistd::{chown, User};
 use regex::Regex;
 use std::{
     fs::{
-        self, OpenOptions, {File, Permissions},
+        OpenOptions, {File, Permissions},
     },
     io::{self, Read, Write},
     os::unix::fs::{DirBuilderExt, PermissionsExt},
     path::PathBuf,
     process::{Command, Output},
 };
-use tempfile::NamedTempFile;
 use tracing::{error, info, instrument};
 
 lazy_static! {
@@ -220,7 +219,7 @@ pub(crate) fn update_sshd_config(
     let sshd_config_path = PathBuf::from(sshd_config_path);
     if !sshd_config_path.exists() {
         let mut file = std::fs::File::create(&sshd_config_path)?;
-        file.set_permissions(Permissions::from_mode(0o644))?;
+        file.set_permissions(Permissions::from_mode(0o600))?;
         file.write_all(b"PasswordAuthentication yes\n")?;
         tracing::info!(
             ?sshd_config_path,
@@ -237,32 +236,30 @@ pub(crate) fn update_sshd_config(
 
     let re = &PASSWORD_REGEX;
     if re.is_match(&file_content) {
-        let modified_content =
-            re.replace_all(&file_content, "PasswordAuthentication yes\n");
+        let modified_content = re.replace_all(
+            &file_content,
+            "PasswordAuthentication yes # modified by azure-init\n",
+        );
 
-        let temp_sshd_config = NamedTempFile::new()?;
-        let temp_sshd_config_path = temp_sshd_config.path();
-        let mut temp_file = OpenOptions::new()
+        let mut sshd_config = OpenOptions::new()
             .write(true)
-            .create(true)
             .truncate(true)
-            .open(temp_sshd_config_path)?;
-        temp_file.write_all(modified_content.as_bytes())?;
-        temp_file.set_permissions(fs::Permissions::from_mode(0o644))?;
+            .open(&sshd_config_path)?;
+        sshd_config.write_all(modified_content.as_bytes())?;
 
-        fs::rename(temp_sshd_config_path, &sshd_config_path)?;
         tracing::info!(
             ?sshd_config_path,
             "Updated existing sshd setting to allow password authentication"
-        )
+        );
     } else {
         let mut file =
             OpenOptions::new().append(true).open(&sshd_config_path)?;
-        file.write_all(b"PasswordAuthentication yes\n")?;
+        file.write_all(b"PasswordAuthentication yes # added by azure-init\n")?;
+
         tracing::info!(
             ?sshd_config_path,
             "Added new sshd setting to allow password authentication"
-        )
+        );
     }
 
     Ok(())