From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:aa7:d983:: with SMTP id u3-v6mr1988725eds.9.1537950702092;
        Wed, 26 Sep 2018 01:31:42 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a50:c8c9:: with SMTP id k9-v6ls1760736edh.1.gmail; Wed, 26
 Sep 2018 01:31:41 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60mStcx/DTUniCNUnJk53m+rFE6fnWcTqnXRMM9Vn5N46oF/wAnEAszuesOwXgxMEQUtv6x
X-Received: by 2002:a50:ac45:: with SMTP id w5-v6mr2024506edc.4.1537950701720;
        Wed, 26 Sep 2018 01:31:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537950701; cv=none;
        d=google.com; s=arc-20160816;
        b=HnJqCUsc97clE/JtbImL4ml74RHyybU4IPGe2dtv1iXabli5ML6LYPdOzEF0f5+kpf
         8M7fW8yvABhSxS9DH5V3wQg0y3xNXbw1nPPQS1zB2zqq7E0xhEcLSaVva/zAbLQXaeaX
         /zvMtjlQpDoMNAjwwW79ApjG7UBCvzKqIFfWUN/pDqKY0wmzImzQe1iF0ebfA8r39/bj
         wWKoQaw3HAloAlc7Kc9XdPnyH2JmE3iCZ2+SJxdyNzXbV4QZWbFW+qSfHEHH3f9stF9j
         S91gHEFrvG9mFkK/c8AXjiDqSfCIGCKwsjgTAdQ4C4e3RPlH20/rXBXvPufO8ImQ2e05
         c7rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=tbZLfHDXn3Nv+IJgg9v+Esui5SayZO74CS+BpZbowi4=;
        b=Z9mtwIl+9sJy8VfZKB0HnqEAIwbFjVcsXwm8H0c1Q1ejCqtoKAx4D2rv7v95Amon8h
         0mxi41rSFHoIl+hF1EGoVfwJWW1pxENG2j5t/nZx8jrGyJRqfp1iyGme8lfLUKHbcMsT
         8j0pNY2+EWuY8+5lBq3rMeAeqUBBv8mzGLIRt2r9ihqPJZP+uribZ3xCJ6NxCkWdZ/yB
         KY/tsXwTna7jVCETcABjUk09S6j041YtIaAovBWV+yuoH/Pdbb1roCpHkjGdSgZ704rD
         KIk1lJ+9rqrVteZTsEYqDk+W+I0rO5yHoVMtkztvY9D5VnMuu29B6/0kxzI4XwEbZZ1i
         QEaw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id s5-v6si18331ejx.1.2018.09.26.01.31.41
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 26 Sep 2018 01:31:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id w8Q8VeLP008209
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 26 Sep 2018 10:31:40 +0200
Received: from md1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id w8Q8VdM0025926
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Wed, 26 Sep 2018 10:31:40 +0200
Date: Wed, 26 Sep 2018 10:31:38 +0200
From: Henning Schild <henning.schild@siemens.com>
To: Harald Seiler <hws@denx.de>
Cc: <isar-users@googlegroups.com>
Subject: Re: [PATCH] meta: Add recipe to regenerate ssh host keys
Message-ID: <20180926103138.1241c7f1@md1pvb1c.ad001.siemens.net>
In-Reply-To: <72b02e7ac7ff8a3079d8b988e541da37396363c3.camel@denx.de>
References: <72b02e7ac7ff8a3079d8b988e541da37396363c3.camel@denx.de>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: fGD7CvgOEnnP

Am Tue, 25 Sep 2018 17:53:19 +0200
schrieb Harald Seiler <hws@denx.de>:

> sshd-regen-keys is a systemd unit that will run
> at first boot and force sshd to generate new
> host keys.
> 
> This prevents all devices using the same keys.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
>  meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
>  .../sshd-regen-keys/files/sshd-regen-keys.service     | 19
> +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys.bb
> | 15 +++++++++++++++ 3 files changed, 38 insertions(+)
>  create mode 100644
> meta/recipes-support/sshd-regen-keys/files/postinst create mode
> 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> create mode 100644
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> b/meta/recipes-support/sshd-regen-keys/files/postinst new file mode
> 100644 index 0000000..ae722a7
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> @@ -0,0 +1,4 @@
> +#!/bin/sh
> +set -e
> +
> +systemctl enable sshd-regen-keys.service
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> new file mode 100644 index 0000000..3b8231f --- /dev/null
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -0,0 +1,19 @@ +[Unit]
> +Description=Regenerate sshd host keys
> +DefaultDependencies=no
> +Conflicts=shutdown.target
> +After=systemd-remount-fs.service
> +Before=shutdown.target sshd.service
> +ConditionPathIsReadWrite=/etc
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +Environment=DEBIAN_FRONTEND=noninteractive
> +ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> dpkg-reconfigure openssh-server" +ExecStartPost=-/bin/systemctl
> disable sshd-regen-keys.service +StandardOutput=syslog
> +StandardError=syslog
> +
> +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb new file
> mode 100644 index 0000000..3b196c2
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb

I think a PV would be useful. sshd-regen-keys_0.1.bb

> @@ -0,0 +1,15 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server"

systemd is missing here ... yes you can still get debian without it,
also with Isar

Maybe something to add to IMAGE_INSTALL of one of the ci targets to get
test-coverage. But wait what others think about that idea.

Henning

> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    sudo install -v -d -m 755 "${D}/lib/systemd/system"
> +    sudo install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service" +}
>