From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6696415711607128064 X-Received: by 2002:a2e:9913:: with SMTP id v19mr283176lji.163.1560183583512; Mon, 10 Jun 2019 09:19:43 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:ee0a:: with SMTP id g10ls722456lfb.13.gmail; Mon, 10 Jun 2019 09:19:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqy9nE1vPzfCfm82Nr+yU14biIyNFus73zhvojqmZwBGymvL4PrRxAmAnf9qe/j2oj6q2kQp X-Received: by 2002:a19:9e4b:: with SMTP id h72mr9093838lfe.21.1560183582940; Mon, 10 Jun 2019 09:19:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560183582; cv=none; d=google.com; s=arc-20160816; b=pzYrKTAeogK23adOtfKPjXr1C5plu3SlTPmd2MMcgHcw1qnpmXaqjOJjdMxWq9u/rF SOuDMUb2HHs51xrTHr4v6zOFnX8H4e1XVmObogdE8yOj7PtpIvTzwuSVvmdMhK3WBD5O n0Ykmn/XvGn2THseroE9kaNUh76BTQze7DCpQDP88PSmbgxbN3gZVK0ZL3dyKh4wCZo4 yCdlLF/UqI3O3c+WFd53cn4Auae4yPSUQyp+4QWA4fB38A6chAQJmMsARi1nhG+1FOq0 ECF5FLQwI/mqGBbA2ZR/FLdVi2n4cZUiqSbo0Hqj5Btri66G5hDQKtn6cB5slorudovP bFjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=VgY6MyuB9+mG8LL511fC1Kjwm+scmajKz7v1XxZgdKA=; b=xpIR+iLObrH/GUOpP98WPCwt3qQZdt93Y6mVSJr0PSxw4SZDHcNAaJP9POyPNvjNnF S7UqCp5+DFCOAW2QHzfKKujpWV7WtfjPfFkLGZB2gqxa2j3xTi74GyT3646qYTfHR9Lv d+7bwohH2vdtfjH+1oBhgkJNMXGZ8jO0NSTILh39wNsigeMFtkLnKH+G/RM/i+bbHoVf hK9hY1iBpzBwt3YoTuPR6ESxo8j9ipqNZS4VUux7zuxyvrQRucibbV2b8kMOubX/P9mZ hjzfefD/y9GdGVgaEVNmuIz6PbG/ii6s0uBk2r2pFNGxQK77Q8CkDyRXWPLwIFDz8J+g NLuA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of mosipov@isar-build.org designates 85.214.156.166 as permitted sender) smtp.mailfrom=mosipov@isar-build.org Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id a20si608390ljb.3.2019.06.10.09.19.42 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 10 Jun 2019 09:19:42 -0700 (PDT) Received-SPF: pass (google.com: domain of mosipov@isar-build.org designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of mosipov@isar-build.org designates 85.214.156.166 as permitted sender) smtp.mailfrom=mosipov@isar-build.org Received: from [192.168.1.29] (195.165-131-109.adsl-dyn.isp.belgacom.be [109.131.165.195] (may be forged)) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id x5AGJeni023053 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 10 Jun 2019 18:19:41 +0200 Subject: Re: [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion To: Henning Schild , isar-users@googlegroups.com References: <20190603111100.20256-1-henning.schild@siemens.com> <20190603131231.578a081d@md1za8fc.ad001.siemens.net> From: "Maxim Yu. Osipov" Message-ID: <082c2e71-3352-3c5e-d49c-8da032a71cb9@isar-build.org> Date: Mon, 10 Jun 2019 18:19:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190603131231.578a081d@md1za8fc.ad001.siemens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: VWVeO+ZaW29k On 6/3/19 1:12 PM, Henning Schild wrote: > Change to v1: > - use find instead of "ls *" to detect if there are any keys > - reduce to just one if statement > > Henning Rebased and applied to the 'next'. Regards, Maxim. > Am Mon, 3 Jun 2019 13:10:59 +0200 > schrieb Henning Schild : > >> From: Henning Schild >> >> Images containing ssh host keys without some way of dealing with the >> fact that those have to be generate at run-time not install-time are >> invalid! >> >> Introduce a check that our own package "sshd-regen-keys" is installed >> when such keys are present (when an ssh daemon is installed). >> >> Suggest to install that package or find some other way of dealing with >> the problem. But fail by default, since such an image is most likely >> broken. >> >> Signed-off-by: Henning Schild >> --- >> meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/meta/classes/image-postproc-extension.bbclass >> b/meta/classes/image-postproc-extension.bbclass index >> 625ba7d..f6ed793 100644 --- >> a/meta/classes/image-postproc-extension.bbclass +++ >> b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,16 @@ >> image_postprocess_mark() { update_etc_os_release \ >> --build-id "${BUILD_ID}" --variant "${DESCRIPTION}" >> } >> + >> +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" >> + >> +image_postprocess_sshd_key_regen() { >> + nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" >> -printf '.' | wc -c ) >> + if [ $nhkeys -ne 0 -a ! -d >> ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then >> + bbwarn "Looks like you have ssh host keys in the image but >> did "\ >> + "not install \"sshd-regen-keys\". This image should >> not be "\ >> + "deployed more than once." >> + bberror "Install the package or forcefully remove this check!" >> + exit 1 >> + fi >> +} >