From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6696415711607128064 X-Received: by 2002:a50:ec12:: with SMTP id g18mr4762439edr.251.1559133981383; Wed, 29 May 2019 05:46:21 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:1849:: with SMTP id w9ls533026eje.2.gmail; Wed, 29 May 2019 05:46:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqzRW6aYlJThXu7XXo50d/BJJil1KdX+rDzL8kwBxc1PLCg/O38/srGMeQcgQt7LHqDcfKgT X-Received: by 2002:a17:906:b6cb:: with SMTP id ec11mr4525026ejb.215.1559133981000; Wed, 29 May 2019 05:46:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559133980; cv=none; d=google.com; s=arc-20160816; b=Oh9NomHeXDyYAO4rpLemDWHfTszJw5aEA1sOWItZfqXT4mjQr3mjlresWzPYnsmoSl YRwZ9BVIeAYWhN1BX3AB3fFpoKx0k8PK0wI2ldmcot1sLYCgX9Zic9w3MQQy/64UqqUP OWexpQ61Hy9uMCiLe31bGrDRC///6cKM0Iqbik+aA/Yz4b3HutwC+UimfYlgjReIY87C u+tSVqQUg4hltQfkWvM7LQaarbKbPK8kjvWD0lQb9nBBhsyFzG9lmY4kGtgQUYZr/UzJ asiv0IAoQ6U7bC2cKi8sIe9vffNbIDkzzHQyD+5hB/oQ388a826tOiKPzwebYHdL1uSn KTew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=LCp1M1YneA0OJCFzu/3R/jSHIrFMxuRzmzZmdkIv33Y=; b=PLeFBHQkfY/cSqJjQsiBYWITYOhY2zUE+GbBEgeDKdvQmx9o1AVd1fCpRzIv3TMSpT MTGMs7h+K7z+gV8l3f8nb+nVLmBTwy0OfTW7lOukNOXL37JYCZhwAYzKyG3djpA8q9/k 1UpCTu0TyPs8G5WU9iSfrNVVvY0820hsu0mRmHza4uz3ezTr55T0AgCI/N68YUMpx/3W 8uE6KU63x92rWWFIAUtRVJz5wUuTS2onUJTUtUo3gHH7M6SVXRSKWzxqh4uy7GeL9O/k lb2hRuOvOa2t1salbm9v1tqlERVd/oAG/FgLnts4ATh71wfbEMKeEWbkl6S2pxQRDTRq VOeQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id t36si817906edb.0.2019.05.29.05.46.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 May 2019 05:46:20 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x4TCkKlb032685 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 29 May 2019 14:46:20 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.69.101]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x4TCkKWx013462; Wed, 29 May 2019 14:46:20 +0200 Date: Wed, 29 May 2019 14:46:19 +0200 From: Henning Schild To: Claudius Heine Cc: Subject: Re: [PATCH 1/2] meta/classes/image: Introduce sshd host key assertion Message-ID: <20190529144619.14deede9@md1za8fc.ad001.siemens.net> In-Reply-To: <1436968b-b542-dc76-f971-e8bc9e3a626b@siemens.com> References: <20190529115257.28898-1-henning.schild@siemens.com> <1436968b-b542-dc76-f971-e8bc9e3a626b@siemens.com> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: X/uFKj0eNElu Am Wed, 29 May 2019 14:43:10 +0200 schrieb Claudius Heine : > Hi Henning, > > On 29/05/2019 13.52, [ext] Henning Schild wrote: > > From: Henning Schild > > > > Images containing ssh host keys without some way of dealing with the > > fact that those have to be generate at run-time not install-time are > > invalid! > > > > Introduce a check that our own package "sshd-regen-keys" is > > installed when such keys are present (when an ssh daemon is > > installed). > > > > Suggest to install that package or find some other way of dealing > > with the problem. But fail by default, since such an image is most > > likely broken. > > > > Signed-off-by: Henning Schild > > --- > > meta/classes/image-postproc-extension.bbclass | 14 ++++++++++++++ > > 1 file changed, 14 insertions(+) > > > > diff --git a/meta/classes/image-postproc-extension.bbclass > > b/meta/classes/image-postproc-extension.bbclass index > > 625ba7d..5467bbc 100644 --- > > a/meta/classes/image-postproc-extension.bbclass +++ > > b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,17 @@ > > image_postprocess_mark() { update_etc_os_release \ > > --build-id "${BUILD_ID}" --variant "${DESCRIPTION}" > > } > > + > > +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" > > + > > +image_postprocess_sshd_key_regen() { > > + if ls ${WORKDIR}/rootfs/etc/ssh/ssh_host_*key* > /dev/null; > > then > > ${WORKDIR}/rootfs -> ${IMAGE_ROOTFS} > > If that file is not found, ls will complain on stderr: > ls: cannot access '...': No such file or directory > so a '2>&1' would be needed. > > (I would also rather use `stat -t` than ls.) > > Merging those two ifs into one would also be nice. Thanks, will do both. Henning > Otherwise looks good. > > Claudius > > > + if [ ! -d > > ${WORKDIR}/rootfs/usr/share/doc/sshd-regen-keys ]; then > > + bbwarn "Looks like you have ssh host keys in the image > > but did "\ > > + "not install \"sshd-regen-keys\". This image > > should not be "\ > > + "deployed more than once." > > + bberror "Install the package or forcefully remove this > > check!" > > + exit 1 > > + fi > > + fi > > +} > > >