[PATCH 1/2] meta/classes/image: Introduce sshd host key assertion

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

* [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion
@ 2019-05-29 11:52 Henning Schild
  2019-05-29 11:52 ` [PATCH 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
  2019-05-29 12:43 ` [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Claudius Heine
  0 siblings, 2 replies; 4+ messages in thread
From: Henning Schild @ 2019-05-29 11:52 UTC (permalink / raw)
  To: isar-users; +Cc: Henning Schild

From: Henning Schild <henning.schild@siemens.com>

Images containing ssh host keys without some way of dealing with the
fact that those have to be generate at run-time not install-time are
invalid!

Introduce a check that our own package "sshd-regen-keys" is installed
when such keys are present (when an ssh daemon is installed).

Suggest to install that package or find some other way of dealing with
the problem. But fail by default, since such an image is most likely
broken.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta/classes/image-postproc-extension.bbclass | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index 625ba7d..5467bbc 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -44,3 +44,17 @@ image_postprocess_mark() {
     update_etc_os_release \
         --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
 }
+
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+
+image_postprocess_sshd_key_regen() {
+    if ls ${WORKDIR}/rootfs/etc/ssh/ssh_host_*key* > /dev/null; then
+        if [ ! -d ${WORKDIR}/rootfs/usr/share/doc/sshd-regen-keys ]; then
+            bbwarn "Looks like you have ssh host keys in the image but did "\
+                   "not install \"sshd-regen-keys\". This image should not be "\
+                   "deployed more than once."
+            bberror "Install the package or forcefully remove this check!"
+            exit 1
+        fi
+    fi
+}
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside
  2019-05-29 11:52 [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
@ 2019-05-29 11:52 ` Henning Schild
  2019-05-29 12:43 ` [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Claudius Heine
  1 sibling, 0 replies; 4+ messages in thread
From: Henning Schild @ 2019-05-29 11:52 UTC (permalink / raw)
  To: isar-users; +Cc: Henning Schild

From: Henning Schild <henning.schild@siemens.com>

A previous commit introduced a sanity check and this configuration did
not pass it.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta-isar/conf/multiconfig/rpi-stretch.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/conf/multiconfig/rpi-stretch.conf b/meta-isar/conf/multiconfig/rpi-stretch.conf
index f3fac38..5a008b2 100644
--- a/meta-isar/conf/multiconfig/rpi-stretch.conf
+++ b/meta-isar/conf/multiconfig/rpi-stretch.conf
@@ -33,3 +33,5 @@ IMAGE_PREINSTALL += " \
     traceroute \
     vim \
     "
+
+IMAGE_INSTALL += "sshd-regen-keys"
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion
  2019-05-29 11:52 [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
  2019-05-29 11:52 ` [PATCH 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
@ 2019-05-29 12:43 ` Claudius Heine
  2019-05-29 12:46   ` Henning Schild
  1 sibling, 1 reply; 4+ messages in thread
From: Claudius Heine @ 2019-05-29 12:43 UTC (permalink / raw)
  To: [ext] Henning Schild, isar-users

Hi Henning,

On 29/05/2019 13.52, [ext] Henning Schild wrote:
> From: Henning Schild <henning.schild@siemens.com>
> 
> Images containing ssh host keys without some way of dealing with the
> fact that those have to be generate at run-time not install-time are
> invalid!
> 
> Introduce a check that our own package "sshd-regen-keys" is installed
> when such keys are present (when an ssh daemon is installed).
> 
> Suggest to install that package or find some other way of dealing with
> the problem. But fail by default, since such an image is most likely
> broken.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   meta/classes/image-postproc-extension.bbclass | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
> index 625ba7d..5467bbc 100644
> --- a/meta/classes/image-postproc-extension.bbclass
> +++ b/meta/classes/image-postproc-extension.bbclass
> @@ -44,3 +44,17 @@ image_postprocess_mark() {
>       update_etc_os_release \
>           --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
>   }
> +
> +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
> +
> +image_postprocess_sshd_key_regen() {
> +    if ls ${WORKDIR}/rootfs/etc/ssh/ssh_host_*key* > /dev/null; then

${WORKDIR}/rootfs -> ${IMAGE_ROOTFS}

If that file is not found, ls will complain on stderr:
     ls: cannot access '...': No such file or directory
so a '2>&1' would be needed.

(I would also rather use `stat -t` than ls.)

Merging those two ifs into one would also be nice.

Otherwise looks good.

Claudius

> +        if [ ! -d ${WORKDIR}/rootfs/usr/share/doc/sshd-regen-keys ]; then
> +            bbwarn "Looks like you have ssh host keys in the image but did "\
> +                   "not install \"sshd-regen-keys\". This image should not be "\
> +                   "deployed more than once."
> +            bberror "Install the package or forcefully remove this check!"
> +            exit 1
> +        fi
> +    fi
> +}
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion
  2019-05-29 12:43 ` [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Claudius Heine
@ 2019-05-29 12:46   ` Henning Schild
  0 siblings, 0 replies; 4+ messages in thread
From: Henning Schild @ 2019-05-29 12:46 UTC (permalink / raw)
  To: Claudius Heine; +Cc: isar-users

Am Wed, 29 May 2019 14:43:10 +0200
schrieb Claudius Heine <claudius.heine.ext@siemens.com>:

> Hi Henning,
> 
> On 29/05/2019 13.52, [ext] Henning Schild wrote:
> > From: Henning Schild <henning.schild@siemens.com>
> > 
> > Images containing ssh host keys without some way of dealing with the
> > fact that those have to be generate at run-time not install-time are
> > invalid!
> > 
> > Introduce a check that our own package "sshd-regen-keys" is
> > installed when such keys are present (when an ssh daemon is
> > installed).
> > 
> > Suggest to install that package or find some other way of dealing
> > with the problem. But fail by default, since such an image is most
> > likely broken.
> > 
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >   meta/classes/image-postproc-extension.bbclass | 14 ++++++++++++++
> >   1 file changed, 14 insertions(+)
> > 
> > diff --git a/meta/classes/image-postproc-extension.bbclass
> > b/meta/classes/image-postproc-extension.bbclass index
> > 625ba7d..5467bbc 100644 ---
> > a/meta/classes/image-postproc-extension.bbclass +++
> > b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,17 @@
> > image_postprocess_mark() { update_etc_os_release \
> >           --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
> >   }
> > +
> > +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
> > +
> > +image_postprocess_sshd_key_regen() {
> > +    if ls ${WORKDIR}/rootfs/etc/ssh/ssh_host_*key* > /dev/null;
> > then  
> 
> ${WORKDIR}/rootfs -> ${IMAGE_ROOTFS}
> 
> If that file is not found, ls will complain on stderr:
>      ls: cannot access '...': No such file or directory
> so a '2>&1' would be needed.
> 
> (I would also rather use `stat -t` than ls.)
> 
> Merging those two ifs into one would also be nice.

Thanks, will do both.

Henning

> Otherwise looks good.
> 
> Claudius
> 
> > +        if [ ! -d
> > ${WORKDIR}/rootfs/usr/share/doc/sshd-regen-keys ]; then
> > +            bbwarn "Looks like you have ssh host keys in the image
> > but did "\
> > +                   "not install \"sshd-regen-keys\". This image
> > should not be "\
> > +                   "deployed more than once."
> > +            bberror "Install the package or forcefully remove this
> > check!"
> > +            exit 1
> > +        fi
> > +    fi
> > +}
> >   
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-05-29 12:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-29 11:52 [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
2019-05-29 11:52 ` [PATCH 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
2019-05-29 12:43 ` [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Claudius Heine
2019-05-29 12:46   ` Henning Schild

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox