Disable the SSH daemon in most non-global zones

[citrus-it]

This improves things by disabling the SSH daemon in self-assembling zones via the smf profile, and directly in non-self-assembling zones. The service remains enabled in the switch zone for wicket and support.

[citrus-it]

gimlet-sn06 # svcs -Z ssh
ZONE             STATE          STIME    FMRI
global           online         1986     svc:/network/ssh:default
oxz_clickhouse_b76f5a4e-3414-4cb2-9b63-587b59cb520f disabled       10:43:08 svc:/network/ssh:default
oxz_cockroachdb_186560a2-6d23-44f0-a7d1-ec72472e314b disabled       10:40:48 svc:/network/ssh:default
oxz_cockroachdb_47a24038-7d93-4d5e-9fd7-b18a31d321d8 disabled       10:40:48 svc:/network/ssh:default
oxz_cockroachdb_a6b8002a-aebc-435a-a100-accb1c03a64d disabled       10:40:48 svc:/network/ssh:default
oxz_cockroachdb_3f557e68-60f6-4682-b939-46c2101803b3 disabled       10:40:48 svc:/network/ssh:default
oxz_cockroachdb_b1fe944f-09ca-4374-9bf0-424b1007b216 disabled       10:40:48 svc:/network/ssh:default
oxz_crucible_5133048b-9928-48e7-b95c-b6e81502c75e disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_635308b0-81a2-4836-9858-c8f5efc23eff disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_6e15773f-9166-411f-9519-f0be252d4cdc disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_7454b477-2766-45c5-bcd0-99260db0ccac disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_9b4190cd-48fd-4394-8525-7f464e171f0d disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_9df7c7cb-a8a2-43f3-806d-3597aaab71ec disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_a10cb52b-94bf-4a3a-8854-519082840db9 disabled       10:42:29 svc:/network/ssh:default
oxz_crucible_bed7d634-07e9-43dc-a44d-75e9fb5183e8 disabled       10:42:29 svc:/network/ssh:default
oxz_crucible_f44205cc-ff73-41f9-b946-2b5fb4256c66 disabled       10:42:30 svc:/network/ssh:default
oxz_crucible_pantry_e291ac18-125b-445f-bab6-a2a563070076 disabled       10:42:26 svc:/network/ssh:default
oxz_crucible_pantry_6aa0ca00-dcd8-4f8e-a3f0-590466033175 disabled       10:42:26 svc:/network/ssh:default
oxz_crucible_pantry_15efcb71-7663-471c-b51a-03c550fcaab6 disabled       10:42:27 svc:/network/ssh:default
oxz_external_dns_640dd9c3-81a7-4fef-a957-08b47518a8c5 disabled       10:42:28 svc:/network/ssh:default
oxz_external_dns_b540faa7-4c1b-4c8d-a894-1d4f4ed41042 disabled       10:42:42 svc:/network/ssh:default
oxz_internal_dns_ded0d456-10c5-43dc-8b82-765ccb1bda9c disabled       10:39:24 svc:/network/ssh:default
oxz_internal_dns_488aeb9b-0764-44ea-8ab6-b6b812dca0f6 disabled       10:39:26 svc:/network/ssh:default
oxz_internal_dns_57e5e1df-6bd4-4e2b-ab42-c6d512f712da disabled       10:39:27 svc:/network/ssh:default
oxz_nexus_03b56595-2e25-4e3e-af64-88780c1c193f disabled       10:42:56 svc:/network/ssh:default
oxz_nexus_12a53bd3-203b-473e-9161-ef1286183fe3 disabled       10:42:36 svc:/network/ssh:default
oxz_nexus_b1b27598-9a00-4e70-b677-90d3b05cc875 disabled       10:42:49 svc:/network/ssh:default
oxz_ntp_dc584126-79cc-4759-8699-709ef23964ba disabled       10:39:55 svc:/network/ssh:default
oxz_oximeter_fe2e6708-f438-417b-8da5-a9162d4b6072 disabled       10:42:48 svc:/network/ssh:default
oxz_switch       online         10:37:53 svc:/network/ssh:default
sidecar_softnpu  online         10:36:20 svc:/network/ssh:default

[smklein]

Do we also need ssh for chrony in the NTP zone?

(My context is basically just this comment: https://github.com/oxidecomputer/helios-omicron-brand/blob/87082932247209dc89ef31b627db2ce90792511a/brand/src/bin/baseline.rs#L150-L153 )

[jclulow]

No that comment is saying we need chrony in the NTP zone.