From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6696415711607128064 X-Received: by 2002:ac2:4c84:: with SMTP id d4mr13204052lfl.1.1559560264398; Mon, 03 Jun 2019 04:11:04 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac2:4142:: with SMTP id c2ls617053lfi.3.gmail; Mon, 03 Jun 2019 04:11:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqx5P3QBnkrQnV3oMHE5tsPLKENwWPbwzRn3cWOte/iiTFGB24XCTJPygHF03s6KCKqvwxf+ X-Received: by 2002:ac2:41d7:: with SMTP id d23mr10250062lfi.118.1559560263972; Mon, 03 Jun 2019 04:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559560263; cv=none; d=google.com; s=arc-20160816; b=aaZbqMEj9VOJCL0QuxoGr4ATc1OriD84ylQNZd0ws7yKPYSGoSA8yCJ13EYcdzExNY 55/mFN6ozKBHffvs9cHXH9yuPYu59XX6m2jSseITvKRqI1SzkjXz2+dHZemAWI6b429w grlZjlQbOuTVoiOnHEwTs9krAmeeddoJgSRy+LWOoJMGdX+T/rYbNV3kUqOCXWgjn6Eq IKDAgnB2Nvb1e/wdYNT7RN+r2QDXwQ/RC3AGk14S4FnLTagyAtr1nEakqw717pxTX82o SDdW4m3WEPWEFygeYNIkx5PWXQWHhq+rZ7xXXSZUnqD2EtmN2NENRAQTohW97EftlWji Zknw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=6SiSo4jU9PyuRekuDXryNPgM10uwr7c3QAaXyAs6Vkw=; b=Ri51YtfFYUyYpfAGC6xb7LRSLZx4vd+9R+iiY6fc+eyonAYPCSJXAJArjmhq5IqB94 OVYnO8lVPlNSDuDBa558/p2HaGxjL+5M7eW57fKS3eU0m7wwFKcMb4joppmeUDFrRHGq kPhzf57WsdkPWZGrmRsAtZhVroF/xwxapWlBtOM76UYBInnY/ozNL4D3HeF26U2rjLoP ICP6G9jad1Zj0vRu0NnkBp5NX3iVB2kRrrEZ0yMFhdb25Ii0ewFr+/7Psq1KwIe/GqDZ FGlB01cLKUkRvg+M/IPWyvlRqNmwd+cloCpJjt8K3bkuzwaVEY7VVHUPTPgbX3HpMGao BeZA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id s187si592864lfe.4.2019.06.03.04.11.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Jun 2019 04:11:03 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x53BB3IU015297 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 3 Jun 2019 13:11:03 +0200 Received: from md1za8fc.ad001.siemens.net ([139.25.69.101]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x53BB3t6025258; Mon, 3 Jun 2019 13:11:03 +0200 From: Henning Schild To: isar-users@googlegroups.com Cc: Henning Schild Subject: [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Date: Mon, 3 Jun 2019 13:10:59 +0200 Message-Id: <20190603111100.20256-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: G3sRRrHG3KQ/ From: Henning Schild Images containing ssh host keys without some way of dealing with the fact that those have to be generate at run-time not install-time are invalid! Introduce a check that our own package "sshd-regen-keys" is installed when such keys are present (when an ssh daemon is installed). Suggest to install that package or find some other way of dealing with the problem. But fail by default, since such an image is most likely broken. Signed-off-by: Henning Schild --- meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass index 625ba7d..f6ed793 100644 --- a/meta/classes/image-postproc-extension.bbclass +++ b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,16 @@ image_postprocess_mark() { update_etc_os_release \ --build-id "${BUILD_ID}" --variant "${DESCRIPTION}" } + +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" + +image_postprocess_sshd_key_regen() { + nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c ) + if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then + bbwarn "Looks like you have ssh host keys in the image but did "\ + "not install \"sshd-regen-keys\". This image should not be "\ + "deployed more than once." + bberror "Install the package or forcefully remove this check!" + exit 1 + fi +} -- 2.21.0