From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6803687032751128576
X-Received: by 2002:adf:dbc2:: with SMTP id e2mr34391116wrj.264.1587032446061;
        Thu, 16 Apr 2020 03:20:46 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a5d:42c9:: with SMTP id t9ls8686510wrr.4.gmail; Thu, 16 Apr
 2020 03:20:45 -0700 (PDT)
X-Google-Smtp-Source: APiQypKhEMs7dvL6X7p0qUb+I7LiYMP5DsIrvpPVaKp1o4gl6+lbKRjpD7olIWEGy8vKvxoqzCAP
X-Received: by 2002:a5d:6945:: with SMTP id r5mr11314677wrw.363.1587032445508;
        Thu, 16 Apr 2020 03:20:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587032445; cv=none;
        d=google.com; s=arc-20160816;
        b=lrmfdq3b86TSw24SBXFKVsltfLmxxJlUyroTwBleivYUgvBvrYH8BCpH5p4k86wNRr
         vFbr3foZV83um5yStKAcA6zatbO2NX+vB60vCgVcxFjhvqwICFDBQAw+KPo1jEs61QGI
         xZCGD6fNrM5f3bo8wX1tpubgd9y+pS8mTEZ1rr8iMMBazJb+ZvnpCewUf5IWxd9paZAk
         9mI4LcI/vSmze5sz/pXoa3P+zl/luUmTRgV1hjzFVUtvSq9RiZABEhj22X5LLiM7LYoR
         uFIY5mxQOICLrrn2P4VMI+TdWCBqcQpg+UoNbkh4AGIsZzhZy6WTzU0RBzOzPuyhNLEn
         IDzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from;
        bh=gKLs2/kYfM4T4DXdPjylRj/bTZpd0IGBou4R5xBfqmo=;
        b=wEinTb9pIsT95tPM3zL1T+JWbevA7kB7pVsixWdw7AmYiZ8waxoYn+dk+upSvkflQl
         ChBy6RVtsxq+nPA47DtNehKQG5R8J54p83GCkxPsWFU7UWBNGp8UBQjqgOO8DqdVipos
         LNbVScMBObHo2rWi4jZGkY9T8f9UeATUm0MnSUAcz/RPCOPyxSdETvixoi+N9dCnXAC2
         KzyWkxviegesVnqWa7pg6D4Coaj4Q3o9Y4gllzLXN7ul1wR5BORu9vBwoIH5gWN6QMVo
         dMigTAyta///e7R4hXmQJD0LzsGNDjXyjSWa4ojC6u0YEWp6YR4JtKoAH1F1Bz8M8/wo
         /03A==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Return-Path: <ibr@radix50.net>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id u23si151461wmn.0.2020.04.16.03.20.45
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 16 Apr 2020 03:20:45 -0700 (PDT)
Received-SPF: neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 85.214.156.166 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net
Received: from yssyq.m.ilbers.de (host-80-81-17-52.static.customer.m-online.net [80.81.17.52])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id 03GAKi4Q017084
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <isar-users@googlegroups.com>; Thu, 16 Apr 2020 12:20:44 +0200
Received: from yssyq.m.ilbers.de (localhost [127.0.0.1])
	by yssyq.m.ilbers.de (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTPS id 03GAKCwa009098
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
	for <isar-users@googlegroups.com>; Thu, 16 Apr 2020 12:20:12 +0200
Received: (from ibr@localhost)
	by yssyq.m.ilbers.de (8.15.2/8.15.2/Submit) id 03GAKBba009095
	for isar-users@googlegroups.com; Thu, 16 Apr 2020 12:20:11 +0200
From: Baurzhan Ismagulov <ibr@radix50.net>
To: isar-users@googlegroups.com
Subject: [PATCH] image-postproc-extension: Remove ssh-host-keys
Date: Thu, 16 Apr 2020 12:20:11 +0200
Message-Id: <20200416102011.9053-1-ibr@radix50.net>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200416101744.3bjlmwn35bjopz5d@yssyq.m.ilbers.de>
References: <20200416101744.3bjlmwn35bjopz5d@yssyq.m.ilbers.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: T+oskv1PBX5F

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Add the option to remove all ssh_host_keys during image_postprocessing.
This ensures that images with read-only rootfs or overlays use the
keys generated during the image generation.

sshd-regen-keys: Create new ssh keys if the keys do not exist.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Vlad Serebrennikov <vserebr@ilbers.de>
---
 meta/classes/image-postproc-extension.bbclass          |  9 ++++++++-
 .../sshd-regen-keys/files/sshd-regen-keys.service      |  1 -
 .../sshd-regen-keys/files/sshd-regen-keys.sh           | 10 +++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/meta/classes/image-postproc-extension.bbclass b/meta/classes/image-postproc-extension.bbclass
index bb59297..ab89ab5 100644
--- a/meta/classes/image-postproc-extension.bbclass
+++ b/meta/classes/image-postproc-extension.bbclass
@@ -53,8 +53,15 @@ image_postprocess_machine_id() {
     sudo install -m 644 '/dev/null' '${IMAGE_ROOTFS}/etc/machine-id'
 }
 
-ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
+ROOTFS_POSTPROCESS_COMMAND =+ "${@bb.utils.contains('IMAGE_FEATURES', 'delete_ssh_host_keys', 'image_postprocess_delete_ssh_host_keys', '', d)}"
+image_postprocess_delete_ssh_host_keys() {
+    if [ -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
+        sudo chroot ${IMAGE_ROOTFS} \
+            find /etc/ssh/ -iname "ssh_host_*key*" -exec rm {} \;
+    fi
+}
 
+ROOTFS_POSTPROCESS_COMMAND =+ "image_postprocess_sshd_key_regen"
 image_postprocess_sshd_key_regen() {
     nhkeys=$( find ${IMAGE_ROOTFS}/etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
     if [ $nhkeys -ne 0 -a ! -d ${IMAGE_ROOTFS}/usr/share/doc/sshd-regen-keys ]; then
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index a05e1a9..416cb11 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -11,7 +11,6 @@ Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
 ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
 
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
index 11fca3b..9263c83 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -6,11 +6,11 @@ if systemctl is-enabled ssh; then
     systemctl disable --no-reload ssh
 fi
 
-echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
-
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
+nhkeys=$( find /etc/ssh/ -iname "ssh_host_*key*" -printf '.' | wc -c )
+if [ "${nhkeys}" -eq "0" ]; then
+    echo "Regenerating keys ..."
+    dpkg-reconfigure openssh-server
+fi
 
 if test -n $SSHD_ENABLED; then
     echo "Reenabling ssh server ..."
-- 
2.20.1