[PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

* [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion
@ 2019-06-03 11:10 Henning Schild
  2019-06-03 11:11 ` [PATCHv2 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
  2019-06-03 11:12 ` [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
  0 siblings, 2 replies; 4+ messages in thread
From: Henning Schild @ 2019-06-03 11:10 UTC (permalink / raw)
  To: isar-users; +Cc: Henning Schild

From: Henning Schild <henning.schild@siemens.com>

Images containing ssh host keys without some way of dealing with the
fact that those have to be generate at run-time not install-time are
invalid!

Introduce a check that our own package "sshd-regen-keys" is installed
when such keys are present (when an ssh daemon is installed).

Suggest to install that package or find some other way of dealing with
the problem. But fail by default, since such an image is most likely
broken.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index 625ba7d..f6ed793 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -44,3 +44,16 @@ image_postprocess_mark() {
     update_etc_os_release \
         --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
 }
+
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+
+image_postprocess_sshd_key_regen() {
+    nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
+    if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
+       bbwarn "Looks like you have ssh host keys in the image but did "\
+              "not install \"sshd-regen-keys\". This image should not be "\
+              "deployed more than once."
+       bberror "Install the package or forcefully remove this check!"
+       exit 1
+    fi
+}
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCHv2 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside
  2019-06-03 11:10 [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
@ 2019-06-03 11:11 ` Henning Schild
  2019-06-03 11:12 ` [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
  1 sibling, 0 replies; 4+ messages in thread
From: Henning Schild @ 2019-06-03 11:11 UTC (permalink / raw)
  To: isar-users; +Cc: Henning Schild

From: Henning Schild <henning.schild@siemens.com>

A previous commit introduced a sanity check and this configuration did
not pass it.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 meta-isar/conf/multiconfig/rpi-stretch.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/conf/multiconfig/rpi-stretch.conf b/meta-isar/conf/multiconfig/rpi-stretch.conf
index f3fac38..5a008b2 100644
--- a/meta-isar/conf/multiconfig/rpi-stretch.conf
+++ b/meta-isar/conf/multiconfig/rpi-stretch.conf
@@ -33,3 +33,5 @@ IMAGE_PREINSTALL += " \
     traceroute \
     vim \
     "
+
+IMAGE_INSTALL += "sshd-regen-keys"
-- 
2.21.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion
  2019-06-03 11:10 [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
  2019-06-03 11:11 ` [PATCHv2 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
@ 2019-06-03 11:12 ` Henning Schild
  2019-06-10 16:19   ` Maxim Yu. Osipov
  1 sibling, 1 reply; 4+ messages in thread
From: Henning Schild @ 2019-06-03 11:12 UTC (permalink / raw)
  To: isar-users

Change to v1:
  - use find instead of "ls *" to detect if there are any keys
  - reduce to just one if statement

Henning

Am Mon, 3 Jun 2019 13:10:59 +0200
schrieb Henning Schild <henning.schild@siemens.com>:

> From: Henning Schild <henning.schild@siemens.com>
> 
> Images containing ssh host keys without some way of dealing with the
> fact that those have to be generate at run-time not install-time are
> invalid!
> 
> Introduce a check that our own package "sshd-regen-keys" is installed
> when such keys are present (when an ssh daemon is installed).
> 
> Suggest to install that package or find some other way of dealing with
> the problem. But fail by default, since such an image is most likely
> broken.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/meta/classes/image-postproc-extension.bbclass
> b/meta/classes/image-postproc-extension.bbclass index
> 625ba7d..f6ed793 100644 ---
> a/meta/classes/image-postproc-extension.bbclass +++
> b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,16 @@
> image_postprocess_mark() { update_etc_os_release \
>          --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
>  }
> +
> +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
> +
> +image_postprocess_sshd_key_regen() {
> +    nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*"
> -printf '.' | wc -c )
> +    if [ $nhkeys -ne 0 -a ! -d
> ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
> +       bbwarn "Looks like you have ssh host keys in the image but
> did "\
> +              "not install \"sshd-regen-keys\". This image should
> not be "\
> +              "deployed more than once."
> +       bberror "Install the package or forcefully remove this check!"
> +       exit 1
> +    fi
> +}


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion
  2019-06-03 11:12 ` [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
@ 2019-06-10 16:19   ` Maxim Yu. Osipov
  0 siblings, 0 replies; 4+ messages in thread
From: Maxim Yu. Osipov @ 2019-06-10 16:19 UTC (permalink / raw)
  To: Henning Schild, isar-users

On 6/3/19 1:12 PM, Henning Schild wrote:
> Change to v1:
>    - use find instead of "ls *" to detect if there are any keys
>    - reduce to just one if statement
> 
> Henning

Rebased and applied to the 'next'.

Regards,
Maxim.

> Am Mon, 3 Jun 2019 13:10:59 +0200
> schrieb Henning Schild <henning.schild@siemens.com>:
> 
>> From: Henning Schild <henning.schild@siemens.com>
>>
>> Images containing ssh host keys without some way of dealing with the
>> fact that those have to be generate at run-time not install-time are
>> invalid!
>>
>> Introduce a check that our own package "sshd-regen-keys" is installed
>> when such keys are present (when an ssh daemon is installed).
>>
>> Suggest to install that package or find some other way of dealing with
>> the problem. But fail by default, since such an image is most likely
>> broken.
>>
>> Signed-off-by: Henning Schild <henning.schild@siemens.com>
>> ---
>>   meta/classes/image-postproc-extension.bbclass | 13 +++++++++++++
>>   1 file changed, 13 insertions(+)
>>
>> diff --git a/meta/classes/image-postproc-extension.bbclass
>> b/meta/classes/image-postproc-extension.bbclass index
>> 625ba7d..f6ed793 100644 ---
>> a/meta/classes/image-postproc-extension.bbclass +++
>> b/meta/classes/image-postproc-extension.bbclass @@ -44,3 +44,16 @@
>> image_postprocess_mark() { update_etc_os_release \
>>           --build-id "${BUILD_ID}" --variant "${DESCRIPTION}"
>>   }
>> +
>> +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
>> +
>> +image_postprocess_sshd_key_regen() {
>> +    nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*"
>> -printf '.' | wc -c )
>> +    if [ $nhkeys -ne 0 -a ! -d
>> ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
>> +       bbwarn "Looks like you have ssh host keys in the image but
>> did "\
>> +              "not install \"sshd-regen-keys\". This image should
>> not be "\
>> +              "deployed more than once."
>> +       bberror "Install the package or forcefully remove this check!"
>> +       exit 1
>> +    fi
>> +}
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-06-10 16:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-03 11:10 [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
2019-06-03 11:11 ` [PATCHv2 2/2] rpi-stretch: install sshd-regen-keys since openssh-server is inside Henning Schild
2019-06-03 11:12 ` [PATCHv2 1/2] meta/classes/image: Introduce sshd host key assertion Henning Schild
2019-06-10 16:19   ` Maxim Yu. Osipov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox