From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6803687032751128576 X-Received: by 2002:a50:99c4:: with SMTP id n4mr13917294edb.187.1584106832038; Fri, 13 Mar 2020 06:40:32 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:aa7:cac4:: with SMTP id l4ls6377461edt.4.gmail; Fri, 13 Mar 2020 06:40:31 -0700 (PDT) X-Google-Smtp-Source: ADFU+vu1dVIgVEknlzMcdMbmTEVqemdqS9X+d3J4PTMg8LLKfQd7vNHI5LFylfpLqq7QGVh/WqsO X-Received: by 2002:a05:6402:176a:: with SMTP id da10mr13457440edb.195.1584106831386; Fri, 13 Mar 2020 06:40:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584106831; cv=none; d=google.com; s=arc-20160816; b=Is88CvPPtcbInXp5Rdul2trnhxnyMNfYGYlJnFjw0kGY/OCxXtCKNzd+XIjHKGxAH5 EaMQk37sJZ2KppMXhtrKKyL10S5Gj1XAt87ns2pNH8zN2OplDlvD9Jut+OQztT5ncM1a 4bebqwsppbUBIHsejN+yk9cIyUrh+mtureSt5LtYZNAn/ID8SOIyHlJgjOmdy0PfZ8hN 5PMTM01oEsBLsghVqHPJQSzHnTjPoZF6+CkH+5FSUrS6ChtEAxZg4s1uOFxu4stx1Ilg sBdki8Hgp8nmAk20bD0osSaoaPUKikg1r9tsPdt/0opKajeaVCIrJcJ/ZJrRohc35vmD FHJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Ry6MtH0sdJWGWpvYSaFX+LjdDA57zaVUeRssHqbzmNY=; b=Wx+JadRWEkFYAb8dla8RVvWLDkBgCr6xenl1nmKF0zoOuPuF9btTkg9ZpWML2MTTnw I01g5BS/SudFRoz7uXOldFU5AdJdOnnPWJYQE18sD513PftV1m39cP/fQX+WpTym0MjG tUXigVlqH+oN6c8qpmDSL/K2NExFcKtvnqTtgmo86HUj3JOv3xaPC4epbz4nc13U4B8F ggkngPewShRF5CLApLGhhmktY10Em4VHDc73V9Oy9DyBhsxj7ka6xznTQ0vzMVT6bfMu VRXgezGOoV2hkz7MfJoe5/+peP3NA0EBziXKKNUp+tckDr0+/pBm6BDvBzINlOulOjwG kVzg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=Quirin.Gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id dc25si435670ejb.1.2020.03.13.06.40.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Mar 2020 06:40:31 -0700 (PDT) Received-SPF: pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=Quirin.Gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 02DDeU2f025027 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 13 Mar 2020 14:40:30 +0100 Received: from md2dvrtc.ad001.siemens.net ([139.25.68.236]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 02DDeUpZ028162; Fri, 13 Mar 2020 14:40:30 +0100 From: "Q. Gylstorff" To: henning.schild@siemens.com, Cedric_Hombourger@mentor.com, isar-users@googlegroups.com Cc: Quirin Gylstorff Subject: [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys Date: Fri, 13 Mar 2020 14:40:28 +0100 Message-Id: <20200313134028.28650-2-Quirin.Gylstorff@siemens.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200313134028.28650-1-Quirin.Gylstorff@siemens.com> References: <20200313134028.28650-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: CrVw8ZoGlfY6 From: Quirin Gylstorff Add the option to remove all ssh_host_keys during image_postprocessing. This ensures that images with read-only rootfs or overlays use the keys generated during the image generation. sshd-regen-keys: create new ssh keys if the keys do not exit Signed-off-by: Quirin Gylstorff --- meta/classes/image-postproc-extension.bbclass | 9 ++++++++- .../sshd-regen-keys/files/sshd-regen-keys.service | 1 - .../sshd-regen-keys/files/sshd-regen-keys.sh | 8 +++++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass index bb59297..7280202 100644 --- a/meta/classes/image-postproc-extension.bbclass +++ b/meta/classes/image-postproc-extension.bbclass @@ -53,8 +53,15 @@ image_postprocess_machine_id() { sudo install -m 644 '/dev/null' '${IMAGE_ROOTFS}/etc/machine-id' } -ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" +ROOTFS_POSTPROCESS_COMMAND =+ "${@bb.utils.contains('IMAGE_FEATURES', 'delete_ssh_host_keys', 'image_postprocess_delete_ssh_host_keys', '', d)}" +image_postprocess_delete_ssh_host_keys() { + if [ -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then + sudo chroot ${IMAGE_ROOTFS} \ + find /etc/ssh/ -iname "ssh_host_*key*" -exec rm {} \; + fi +} +ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen" image_postprocess_sshd_key_regen() { nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c ) if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index 4c4dc0e..d149ee0 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -11,7 +11,6 @@ Type=simple RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index 11fca3b..a6d6713 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@ -7,10 +7,12 @@ if systemctl is-enabled ssh; then fi echo "Removing keys ..." -rm -v /etc/ssh/ssh_host_*_key* +nhkeys=$( find /etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c ) -echo "Regenerating keys ..." -dpkg-reconfigure openssh-server +if [ "${nhkeys}" -eq "0" ]; then + echo "Regenerating keys ..." + dpkg-reconfigure openssh-server +fi if test -n $SSHD_ENABLED; then echo "Reenabling ssh server ..." -- 2.20.1