cfengine · larsewi · Mar 11, 2026 · Mar 12, 2026
diff --git a/cfbs.json b/cfbs.json
@@ -302,6 +302,15 @@
         "append enable.cf services/init.cf"
       ]
     },
+    "promise-type-sshd": {
+      "description": "Promise type to configure sshd.",
+      "subdirectory": "promise-types/sshd",
+      "dependencies": ["library-for-promise-types-in-python"],
+      "steps": [
+        "copy sshd.py modules/promises/",
+        "append enable.cf services/init.cf"
+      ]
+    },
     "promise-type-systemd": {
       "description": "Promise type to manage systemd services.",
       "subdirectory": "promise-types/systemd",

diff --git a/promise-types/sshd/LICENSE b/promise-types/sshd/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Northern.tech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/promise-types/sshd/README.md b/promise-types/sshd/README.md
@@ -0,0 +1,63 @@
+# `sshd` promise type
+
+Configures sshd and restarts the service when configuration changes.
+
+## Promiser
+An arbitrary human-readable label that appears in log messages and reports.
+Since there is only one global sshd configuration, the promiser is not used to identify a resource.
+Example: `"global sshd config"`.
+
+## Attributes
+- Named using sshd's native directive names (e.g. `PermitRootLogin`, not `permit_root_login`)
+- Values can be strings or slists
+- Validated against `sshd -G` during promise validation
+
+## What the module manages internally
+1. **Include directive** — ensures the base `sshd_config` includes the drop-in directory (`sshd_config.d/`) as its first non-comment directive
+2. **Drop-in directory** — creates the drop-in directory if it doesn't exist
+3. **Drop-in file** — writes directives to `sshd_config.d/00-cfengine.conf`
+4. **Service restart** — restarts sshd if configuration was changed and the service is already running
+5. **Verification** — verifies the desired attributes appear in the effective sshd config (`sshd -T`)
+
+## What the module does NOT do
+- Install sshd — that is a `packages:` promise
+- Ensure sshd is running — that is a `services:` promise
+- Manage match blocks — those are a policy-level concern
+
+## Policy
+```cf3
+bundle agent sshd_config
+{
+  packages:
+      "openssh-server"
+          policy => "present";
+
+  services:
+      "sshd"
+          service_policy => "start";
+
+  vars:
+      "allowed_users" slist => { "alice", "bob" };
+
+  sshd:
+      "global"
+          PermitRootLogin        => "no",
+          PasswordAuthentication => "no",
+          Port                   => "22",
+          AllowUsers             => @(allowed_users);
+}
+```
+
+## Authors
+
+This software was created by the team at [Northern.tech](https://northern.tech), with many contributions from the community.
+Thanks everyone!
+
+## Contribute
+
+Feel free to open pull requests to expand this documentation, add features, or fix problems.
+You can also pick up an existing task or file an issue in [our bug tracker](https://northerntech.atlassian.net/).
+
+## License
+
+This software is licensed under the MIT License. See LICENSE in the root of the repository for the full license text.
diff --git a/promise-types/sshd/enable.cf b/promise-types/sshd/enable.cf
@@ -0,0 +1,6 @@
+promise agent sshd
+# @brief Define sshd promise type
+{
+  path => "$(sys.workdir)/modules/promises/sshd.py";
+  interpreter => "/usr/bin/python3";
+}
diff --git a/promise-types/sshd/example.cf b/promise-types/sshd/example.cf
@@ -0,0 +1,33 @@
+promise agent sshd
+# @brief Define sshd promise type
+{
+  path => "$(sys.workdir)/modules/promises/sshd.py";
+  interpreter => "/usr/bin/python3";
+}
+
+bundle agent example
+{
+  packages:
+    "openssh-server"
+        policy => "present";
+
+  services:
+    "sshd"
+        service_policy => "start";
+
+  vars:
+    "allowed_users" slist => { "alice", "bob" };
+
+  sshd:
+    "global"
+        PermitRootLogin        => "no",
+        PasswordAuthentication => "no",
+        Port                   => "22",
+        AllowUsers             => @(allowed_users);
+}
+
+bundle agent __main__
+{
+  methods:
+    "example";
+}