TL;DR
Okidoki; with the caveat that we are talking about development snapshots here, not full featured distros with installers, updates, etc… they come later. (Armbian just announced support!)
Super-security is not needed or welcome, the image has a fixed username and well known passwords. Because of this it’s a good idea to ship with SSH disabled, but this wasn’t done well with the February image, openssh was completely removed. Causing trouble for some. Raspbian struggled with this for some time, so I went and looked at how they solved it…
@Michael.Zhu (or whoever packages this in your team)
Here is a script for use when preparing the next image. It will disable ssh, then install a service to enable ssh at boot on demand. Users just need to create a file in the boot partition after writing the image: /boot/ssh (the contents, if any, are irrelevant, the boot partition is a FAT file-system, so should be easy to mount everywhere).
sbc-image-prep.sh (1.2 KB)
I have tested this on my system and it works as I expect. The operational bit is: (as root)
systemctl disable ssh
curl -o /lib/systemd/system/sshswitch.service https://raw.githubusercontent.com/RPi-Distro/raspberrypi-sys-mods/master/debian/raspberrypi-sys-mods.sshswitch.service
systemctl daemon-reload
systemctl enable sshswitch.service
This disables ssh, installs the sshswitch service and activates it.
The sshswitch.service will look for a file named /boot/ssh during startup.
- If it is present it will remove it; and run
systemctl enable --now ssh.
The sshswitch config file and mechanism was taken from the pi-sys-mods package originally published by the Pi foundation as part of the RPi-Distro at:
under a BSD-3-Clause Licence: