* [RFC PATCH 0/1] Remove ssh-keys in postprocessing
@ 2020-03-13 13:40 Q. Gylstorff
2020-03-13 13:40 ` [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys Q. Gylstorff
0 siblings, 1 reply; 4+ messages in thread
From: Q. Gylstorff @ 2020-03-13 13:40 UTC (permalink / raw)
To: henning.schild, Cedric_Hombourger, isar-users; +Cc: Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
instead to delete the ssh keys during first boot delete the keys
during image creation.
The sshd-regen-keys service now checks on each boot if the keys
exists - if not the are generated.
Quirin Gylstorff (1):
image-postproc-extension: remove ssh-host-keys
meta/classes/image-postproc-extension.bbclass | 9 ++++++++-
.../sshd-regen-keys/files/sshd-regen-keys.service | 1 -
.../sshd-regen-keys/files/sshd-regen-keys.sh | 8 +++++---
3 files changed, 13 insertions(+), 5 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys
2020-03-13 13:40 [RFC PATCH 0/1] Remove ssh-keys in postprocessing Q. Gylstorff
@ 2020-03-13 13:40 ` Q. Gylstorff
2020-04-16 10:17 ` Baurzhan Ismagulov
0 siblings, 1 reply; 4+ messages in thread
From: Q. Gylstorff @ 2020-03-13 13:40 UTC (permalink / raw)
To: henning.schild, Cedric_Hombourger, isar-users; +Cc: Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add the option to remove all ssh_host_keys during image_postprocessing.
This ensures that images with read-only rootfs or overlays use the
keys generated during the image generation.
sshd-regen-keys: create new ssh keys if the keys do not exit
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
meta/classes/image-postproc-extension.bbclass | 9 ++++++++-
.../sshd-regen-keys/files/sshd-regen-keys.service | 1 -
.../sshd-regen-keys/files/sshd-regen-keys.sh | 8 +++++---
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index bb59297..7280202 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -53,8 +53,15 @@ image_postprocess_machine_id() {
sudo install -m 644 '/dev/null' '${IMAGE_ROOTFS}/etc/machine-id'
}
-ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+ROOTFS_POSTPROCESS_COMMAND =+ "${@bb.utils.contains('IMAGE_FEATURES', 'delete_ssh_host_keys', 'image_postprocess_delete_ssh_host_keys', '', d)}"
+image_postprocess_delete_ssh_host_keys() {
+ if [ -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
+ sudo chroot ${IMAGE_ROOTFS} \
+ find /etc/ssh/ -iname "ssh_host_*key*" -exec rm {} \;
+ fi
+}
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
image_postprocess_sshd_key_regen() {
nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index 4c4dc0e..d149ee0 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -11,7 +11,6 @@ Type=simple
RemainAfterExit=yes
Environment=DEBIAN_FRONTEND=noninteractive
ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
StandardOutput=syslog
StandardError=syslog
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
index 11fca3b..a6d6713 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -7,10 +7,12 @@ if systemctl is-enabled ssh; then
fi
echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
+nhkeys=$( find /etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
+if [ "${nhkeys}" -eq "0" ]; then
+ echo "Regenerating keys ..."
+ dpkg-reconfigure openssh-server
+fi
if test -n $SSHD_ENABLED; then
echo "Reenabling ssh server ..."
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys
2020-03-13 13:40 ` [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys Q. Gylstorff
@ 2020-04-16 10:17 ` Baurzhan Ismagulov
2020-04-16 10:20 ` [PATCH] image-postproc-extension: Remove ssh-host-keys Baurzhan Ismagulov
0 siblings, 1 reply; 4+ messages in thread
From: Baurzhan Ismagulov @ 2020-04-16 10:17 UTC (permalink / raw)
To: isar-users
Hello Quirin,
On Fri, Mar 13, 2020 at 02:40:28PM +0100, Q. Gylstorff wrote:
> Add the option to remove all ssh_host_keys during image_postprocessing.
> This ensures that images with read-only rootfs or overlays use the
> keys generated during the image generation.
>
> sshd-regen-keys: create new ssh keys if the keys do not exit
The change makes sense to me. Normally I prefer static generation, but this
isn't possible, since the image should be flashed to multiple devices. In that
case, keeping keys in the image doesn't make sense.
Given that, should this be an IMAGE_FEATURE? Does anything speak against always
removing the sshd keys during the image generation? Opinions welcome.
If it remains an IMAGE_FEATURE, I think we should describe it in the user
manual.
Regarding the patch: We've fixed the following issues, I'll send a v2
suggestion.
* Commit comment: "exit" -> "exist".
* Inconsistent indentation in meta/classes/image-postproc-extension.bbclass:
Fixed to 4.
* meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh: echo "Removing
keys ..." doesn't apply anymore: Removed.
With kind regards,
Baurzhan.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] image-postproc-extension: Remove ssh-host-keys
2020-04-16 10:17 ` Baurzhan Ismagulov
@ 2020-04-16 10:20 ` Baurzhan Ismagulov
0 siblings, 0 replies; 4+ messages in thread
From: Baurzhan Ismagulov @ 2020-04-16 10:20 UTC (permalink / raw)
To: isar-users
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add the option to remove all ssh_host_keys during image_postprocessing.
This ensures that images with read-only rootfs or overlays use the
keys generated during the image generation.
sshd-regen-keys: Create new ssh keys if the keys do not exist.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Vlad Serebrennikov <vserebr@ilbers.de>
---
meta/classes/image-postproc-extension.bbclass | 9 ++++++++-
.../sshd-regen-keys/files/sshd-regen-keys.service | 1 -
.../sshd-regen-keys/files/sshd-regen-keys.sh | 10 +++++-----
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index bb59297..ab89ab5 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -53,8 +53,15 @@ image_postprocess_machine_id() {
sudo install -m 644 '/dev/null' '${IMAGE_ROOTFS}/etc/machine-id'
}
-ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+ROOTFS_POSTPROCESS_COMMAND =+ "${@bb.utils.contains('IMAGE_FEATURES', 'delete_ssh_host_keys', 'image_postprocess_delete_ssh_host_keys', '', d)}"
+image_postprocess_delete_ssh_host_keys() {
+ if [ -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
+ sudo chroot ${IMAGE_ROOTFS} \
+ find /etc/ssh/ -iname "ssh_host_*key*" -exec rm {} \;
+ fi
+}
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
image_postprocess_sshd_key_regen() {
nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index a05e1a9..416cb11 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -11,7 +11,6 @@ Type=oneshot
RemainAfterExit=yes
Environment=DEBIAN_FRONTEND=noninteractive
ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
StandardOutput=syslog
StandardError=syslog
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
index 11fca3b..9263c83 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -6,11 +6,11 @@ if systemctl is-enabled ssh; then
systemctl disable --no-reload ssh
fi
-echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
-
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
+nhkeys=$( find /etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
+if [ "${nhkeys}" -eq "0" ]; then
+ echo "Regenerating keys ..."
+ dpkg-reconfigure openssh-server
+fi
if test -n $SSHD_ENABLED; then
echo "Reenabling ssh server ..."
--
2.20.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-16 10:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-13 13:40 [RFC PATCH 0/1] Remove ssh-keys in postprocessing Q. Gylstorff
2020-03-13 13:40 ` [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys Q. Gylstorff
2020-04-16 10:17 ` Baurzhan Ismagulov
2020-04-16 10:20 ` [PATCH] image-postproc-extension: Remove ssh-host-keys Baurzhan Ismagulov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox