From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:a1c:4d0c:: with SMTP id o12-v6mr366405wmh.2.1538503023909;
        Tue, 02 Oct 2018 10:57:03 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a1c:28c2:: with SMTP id o185-v6ls400397wmo.23.gmail; Tue, 02
 Oct 2018 10:57:03 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61AFB8XqyWcgQDhfkIJmHyApIEVsakGvZothKdzgL/q7Hc4sDAE4X7IZT6I/S/c7lNK9FYf
X-Received: by 2002:a1c:f213:: with SMTP id s19-v6mr392115wmc.23.1538503023526;
        Tue, 02 Oct 2018 10:57:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538503023; cv=none;
        d=google.com; s=arc-20160816;
        b=zkyfWMFZju7HBBy69pHqEp70fXyGQm+lPlfgubAth7F4yiSVd+Cxl7pkdrg03M3y3V
         8qRy4+mvhkiCQETY8cBcp9bBywz+mWcJY0Av8z0ICD2nI31pfdz1rAXn+/eRsGgJUE9d
         YJSDe54/RW+KpSpL5TIlDFrqf6tQrcSO5AJbOJQpIZdWVF21Y7jcnvxlry3WfqACS29c
         uSYQjInVG8gcjeeuQ2TPU6R20QDU+YM0DqDLkoUwcGPDAVcaFdhuaMzNFjsIRra3cs8m
         j0MpBpSzCIYr0oBTrDa63F9o6n0UIk7BunsMcdHhYzSVsZ2QOVFJj/40c8BXtHrLjkMo
         gBtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=3uIjEWlvAs5vNFZrRwRl3UypQc8qQx9Iat6QnQ6dgWU=;
        b=Iu8oyj97pUB+84YHIAooGMecBFwBuqFifjoOd32F/E3+vqECHaJObDNDpDcHWN6vkN
         dtMhmnEU33FBBTSS35nfvzdHjgz7UQPUjnq2gEMnZ9g+ILEZWBFsYQlONty1fEmD3qxC
         EZNenDK6xJqnMFFQksyC+LUQXfRL7jzs+tozuohNDOqXudXJUy9Wwf6TCbl1pUxIpKGq
         TjfCi5tbvZLrxQ6P/zqLJyz3zviOKmxn3ACfkUzaU7etIXT5WneR35J7XUMb+EOjpqV9
         QhT2VkDQBG5E9AEA9CXWXXrokIIiBv2WtD9rQKkZqLWdUUJDALXHhyFrE22rOgroqIX5
         AToQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39])
        by gmr-mx.google.com with ESMTPS id t1-v6si573629wmi.0.2018.10.02.10.57.03
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 02 Oct 2018 10:57:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id w92Hv13F022556
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Tue, 2 Oct 2018 19:57:02 +0200
Received: from md1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id w92Hv0Yo019772
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 2 Oct 2018 19:57:01 +0200
Date: Tue, 2 Oct 2018 19:56:59 +0200
From: Henning Schild <henning.schild@siemens.com>
To: Harald Seiler <hws@denx.de>
Cc: <isar-users@googlegroups.com>,
        "Kiszka, Jan (CT RDA IOT SES-DE)"
 <jan.kiszka@siemens.com>,
        "Maxim Yu. Osipov" <mosipov@ilbers.de>
Subject: Re: [PATCH] meta: Add recipe to regenerate ssh host keys
Message-ID: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
In-Reply-To: <20180926103138.1241c7f1@md1pvb1c.ad001.siemens.net>
References: <72b02e7ac7ff8a3079d8b988e541da37396363c3.camel@denx.de>
	<20180926103138.1241c7f1@md1pvb1c.ad001.siemens.net>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: 3qNGzb0IPwg2

Am Wed, 26 Sep 2018 10:31:38 +0200
schrieb "[ext] Henning Schild" <henning.schild@siemens.com>:

> Am Tue, 25 Sep 2018 17:53:19 +0200
> schrieb Harald Seiler <hws@denx.de>:
> 
> > sshd-regen-keys is a systemd unit that will run
> > at first boot and force sshd to generate new
> > host keys.
> > 
> > This prevents all devices using the same keys.
> > 
> > Signed-off-by: Harald Seiler <hws@denx.de>
> > ---
> >  meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
> >  .../sshd-regen-keys/files/sshd-regen-keys.service     | 19
> > +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys.bb
> > | 15 +++++++++++++++ 3 files changed, 38 insertions(+)
> >  create mode 100644
> > meta/recipes-support/sshd-regen-keys/files/postinst create mode
> > 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > create mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
> > 
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> > b/meta/recipes-support/sshd-regen-keys/files/postinst new file mode
> > 100644 index 0000000..ae722a7
> > --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> > @@ -0,0 +1,4 @@
> > +#!/bin/sh
> > +set -e
> > +
> > +systemctl enable sshd-regen-keys.service
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > new file mode 100644 index 0000000..3b8231f --- /dev/null
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -0,0 +1,19 @@ +[Unit]
> > +Description=Regenerate sshd host keys
> > +DefaultDependencies=no
> > +Conflicts=shutdown.target
> > +After=systemd-remount-fs.service
> > +Before=shutdown.target sshd.service
> > +ConditionPathIsReadWrite=/etc
> > +
> > +[Service]
> > +Type=oneshot
> > +RemainAfterExit=yes
> > +Environment=DEBIAN_FRONTEND=noninteractive
> > +ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> > dpkg-reconfigure openssh-server" +ExecStartPost=-/bin/systemctl
> > disable sshd-regen-keys.service +StandardOutput=syslog
> > +StandardError=syslog
> > +
> > +[Install]
> > +WantedBy=sysinit.target
> > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb new file
> > mode 100644 index 0000000..3b196c2
> > --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb  
> 
> I think a PV would be useful. sshd-regen-keys_0.1.bb
> 
> > @@ -0,0 +1,15 @@
> > +# This software is a part of ISAR.
> > +
> > +DESCRIPTION = "Systemd service to regenerate sshd keys"
> > +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > +DEBIAN_DEPENDS = "openssh-server"  
> 
> systemd is missing here ... yes you can still get debian without it,
> also with Isar
> 
> Maybe something to add to IMAGE_INSTALL of one of the ci targets to
> get test-coverage. But wait what others think about that idea.

I made up my mind about that. Isar has recently gained some features
that lack examples and test coverage, please add a IMAGE_INSTALL+= to
qemuamd64.conf.

These seemingly simple things will otherwise break eventually.

Henning

> Henning
> 
> > +
> > +SRC_URI = "file://postinst \
> > +           file://sshd-regen-keys.service"
> > +
> > +inherit dpkg-raw
> > +
> > +do_install() {
> > +    sudo install -v -d -m 755 "${D}/lib/systemd/system"
> > +    sudo install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service" +}
> >   
>