[PATCH] image-postproc-extension: Remove ssh-host-keys

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Baurzhan Ismagulov <ibr@radix50.net>
To: isar-users@googlegroups.com
Subject: [PATCH] image-postproc-extension: Remove ssh-host-keys
Date: Thu, 16 Apr 2020 12:20:11 +0200	[thread overview]
Message-ID: <20200416102011.9053-1-ibr@radix50.net> (raw)
In-Reply-To: <20200416101744.3bjlmwn35bjopz5d@yssyq.m.ilbers.de>

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the option to remove all ssh_host_keys during image_postprocessing.
This ensures that images with read-only rootfs or overlays use the
keys generated during the image generation.

sshd-regen-keys: Create new ssh keys if the keys do not exist.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Vlad Serebrennikov <vserebr@ilbers.de>
---
 meta/classes/image-postproc-extension.bbclass          |  9 ++++++++-
 .../sshd-regen-keys/files/sshd-regen-keys.service      |  1 -
 .../sshd-regen-keys/files/sshd-regen-keys.sh           | 10 +++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index bb59297..ab89ab5 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -53,8 +53,15 @@ image_postprocess_machine_id() {
     sudo install -m 644 '/dev/null' '${IMAGE_ROOTFS}/etc/machine-id'
 }
 
-ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+ROOTFS_POSTPROCESS_COMMAND =+ "${@bb.utils.contains('IMAGE_FEATURES', 'delete_ssh_host_keys', 'image_postprocess_delete_ssh_host_keys', '', d)}"
+image_postprocess_delete_ssh_host_keys() {
+    if [ -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
+        sudo chroot ${IMAGE_ROOTFS} \
+            find /etc/ssh/ -iname "ssh_host_*key*" -exec rm {} \;
+    fi
+}
 
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
 image_postprocess_sshd_key_regen() {
     nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
     if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index a05e1a9..416cb11 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -11,7 +11,6 @@ Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
 ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
 
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
index 11fca3b..9263c83 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -6,11 +6,11 @@ if systemctl is-enabled ssh; then
     systemctl disable --no-reload ssh
 fi
 
-echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
-
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
+nhkeys=$( find /etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
+if [ "${nhkeys}" -eq "0" ]; then
+    echo "Regenerating keys ..."
+    dpkg-reconfigure openssh-server
+fi
 
 if test -n $SSHD_ENABLED; then
     echo "Reenabling ssh server ..."
-- 
2.20.1

     prev parent reply	other threads:[~2020-04-16 10:20 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-13 13:40 [RFC PATCH 0/1] Remove ssh-keys in postprocessing Q. Gylstorff
2020-03-13 13:40 ` [RFC PATCH 1/1] image-postproc-extension: remove ssh-host-keys Q. Gylstorff
2020-04-16 10:17   ` Baurzhan Ismagulov
2020-04-16 10:20     ` Baurzhan Ismagulov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200416102011.9053-1-ibr@radix50.net \
    --to=ibr@radix50.net \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox