debian: run a separate sshd in mgmt VRF

Leave the default sshd alone. If ssh is not necessary in default VRF,
another role should disable it.

roles/debian/files/ssh.service-override.conf

@@ -1,4 +0,0 @@
-[Service]
-ExecStartPre=sleep 10
-ExecStart=
-ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

roles/debian/files/sshd@mgmt.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenBSD Secure Shell server (management VRF)
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
+ExecReload=/usr/sbin/sshd -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+
+[Install]
+WantedBy=multi-user.target

roles/debian/files/sshd_config.mgmt

@@ -0,0 +1,14 @@
+# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
+
+PidFile none
+UsePAM no
+
+# Only allow pubkey auth.
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PermitRootLogin prohibit-password
+
+# Disable what we can.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no