Lockdown ssh, and also temporarily comment out deleting containers on ISO build

dangerzone/gui/vm.py

@@ -153,6 +153,8 @@ class Vm(QtCore.QObject):
             "UseDNS=no",
             "-o",
             f"AuthorizedKeysFile={self.ssh_client_pubkey_path}",
+            "-o",
+            "ForceCommand=/sbin/nologin",
         ]
         args_str = " ".join(pipes.quote(s) for s in args)
         print("> " + args_str)
@@ -229,11 +231,14 @@ class Vm(QtCore.QObject):
         ]
         args_str = " ".join(pipes.quote(s) for s in args)
         print("> " + args_str)
-        # To be able to login to the VM from the console, remove the stdout, stderr, and stdin args below
+
-        # self.hyperkit_p = subprocess.Popen(
+        # Start the VM with the ability to login
-        #     args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
+        # self.hyperkit_p = subprocess.Popen(args)
-        # )
+
-        self.hyperkit_p = subprocess.Popen(args)
+        # Start the VM without ability to login
+        self.hyperkit_p = subprocess.Popen(
+            args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
+        )
 
         # Wait for SSH thread
         self.wait_t = WaitForSsh(self.sshd_tunnel_port)

install/vm-builder/build-iso.sh

@@ -5,7 +5,9 @@ sudo modprobe fuse
 sudo modprobe tun
 sudo rc-update add cgroups
 sudo rc-service cgroups start
-sudo -u user podman system prune -a -f
+
+# Temporarily comment this out to speed up building ISOs in dev
+# sudo -u user podman system prune -a -f
 
 # Build the podman container
 cd /opt/dangerzone-converter