From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6696415711607128064 X-Received: by 2002:ac2:558a:: with SMTP id v10mr4163080lfg.41.1559130780236; Wed, 29 May 2019 04:53:00 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:12cd:: with SMTP id 74ls244330ljs.4.gmail; Wed, 29 May 2019 04:52:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqwKG4QlazjnGG0RC1Dqaad6J1VDTvGQ/WTPUzqb9sV9ifRZv8n4MOjygZnd/cKWZY0Yjpbq X-Received: by 2002:a2e:5bd0:: with SMTP id m77mr2703219lje.29.1559130779790; Wed, 29 May 2019 04:52:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559130779; cv=none; d=google.com; s=arc-20160816; b=D+5qBVJI0E++RzXQUYVQsHK2VvRT0DiIvmMHZQ5Q2EFibvGKFIFoX+5YuaX03M3ocv /BLeGdKMedtHeRe84fK1cZQAC4bTH18FUhZSwQDRUmW2ee1MNYp6b8wOcUC/yZoQdnxa NlJKabHRVXrUiX2bAlJMxm1lQRjZyl1SK9jlihtbQ8/giJxEqZHJrRfdT/9kqC5DSmrR /Gf4KjVbh7575d1/FWgzfr0S84ufr5/sI2nNYD7cL1qpiJ//nt8lN1D2cWcq/wc3ey2q jqgF3cCcE+SK8hJVg+kxYGz1qMErV4DM7/sBLu23j/WkekNVCHvShP58gyInDYYLUh5g jwuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=Vfe3O017NKstLYlzfxPA+90Vv5vvuelio87Ypj7qydQ=; b=bSFTg2Q6lrJBTCEex6Y9VpAB71bzn0FDQic43CassRLh/bJ44DZbf87py+4Zduixog cKv3PzRhOAYLNVMQa0BJlgjYL+mROlLeJQI12uW2B8QmuIhMj9ylcycLqFfMfdCAj8Jp zmhN6d4Pws0RNcnYWUFfK09Dzrn7wK3uXiPRNQBqz2tzQnyV5K2BiAEKYOdSTUOxtBUm hgxfzd0OOK51RmTTaf127912ObGrnEJorRlguax+nw+cUsRVhw58OeBKJvugeqHcbP8X 8TrhlDAKS/GbnGgVYJ2srOUADAXlKRL+W4ihInkTUHXN0bOmtZMx1bJBPOq42yd0daHi SPUA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id q87si733742lje.0.2019.05.29.04.52.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 May 2019 04:52:59 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x4TBqw3H027347 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 29 May 2019 13:52:58 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.69.101]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x4TBqwM8021373; Wed, 29 May 2019 13:52:58 +0200 From: Henning Schild To: isar-users@googlegroups.com Cc: Henning Schild Subject: [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Date: Wed, 29 May 2019 13:52:56 +0200 Message-Id: <20190529115257.28898-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: 5XqJ/1LARVqW From: Henning Schild Images containing ssh host keys without some way of dealing with the fact that those have to be generate at run-time not install-time are invalid! Introduce a check that our own package "sshd-regen-keys" is installed when such keys are present (when an ssh daemon is installed). Suggest to install that package or find some other way of dealing with the problem. But fail by default, since such an image is most likely broken. Signed-off-by: Henning Schild --- meta/classes/image-postproc-extension.bbclass | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass index 625ba7d..5467bbc 100644 --- a/meta/classes/image-postproc-extension.bbclass +++ b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,17 @@ image_postprocess_mark() { update_etc_os_release \ --build-id "${BUILD_ID}" --variant "${DESCRIPTION}" } + +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" + +image_postprocess_sshd_key_regen() { + if ls ${WORKDIR}/rootfs/etc/ssh/ssh_host_*key* > /dev/null; then + if [ ! -d ${WORKDIR}/rootfs/usr/share/doc/sshd-regen-keys ]; then + bbwarn "Looks like you have ssh host keys in the image but did "\ + "not install \"sshd-regen-keys\". This image should not be "\ + "deployed more than once." + bberror "Install the package or forcefully remove this check!" + exit 1 + fi + fi +} -- 2.21.0