From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a17:906:9386:: with SMTP id l6mr9681047ejx.455.1616682630601; Thu, 25 Mar 2021 07:30:30 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:eb82:: with SMTP id mh2ls3344289ejb.6.gmail; Thu, 25 Mar 2021 07:30:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyxFVTu1pLXlV2R+2T2LXOQlZVAQWIjyKVH04qwFb4ek5tDEbsqU5sSXNuWkicqrsbbQk6e X-Received: by 2002:a17:906:d9c9:: with SMTP id qk9mr9627106ejb.504.1616682629793; Thu, 25 Mar 2021 07:30:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616682629; cv=none; d=google.com; s=arc-20160816; b=aigXWgnKW6Ico0Eri5IpddpEmMjgJ2NHaOyMw0ZzA4aJb1k7e+A0DXDDqUR24Dhggf utXkcjSJkCmXklfWFDhkV/aL8xmC5ZJv70h51oQ4ObClrqwAP7EzyBHz9AhHNO3KBjMj 2kyLK8dFViqbguabBQsTTNvUKJMOP3mD5TgyjejZmCmFkODAr+lkXFG+fBCCLNAxFO66 p7x24Pbyq7auV6Kc9dS/swLcSAOtlFpwB+XOis6Omu2lxgnTW/qOF5drRQUUyh83es2c S10lasAYncGEiFvvgDeMVFyddZhphVxLHGJUW9vHJUxUwjZJOC/gGQ3+j/Kphc2IqkuL agLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=KFqM392B6uJc1vGimJf/fNbthWh9Th5opcFQF2QVMoo=; b=G/Ds2RFaQHkjzyvzQI2hCtgb9/QU1yY+wAO9fhYiRuQvap4nonUs/3N9QWWH9wtdFd 2vPF7Z2dDDhfZVxTCWKCMsRMgRGYvxYkyyRfO3O40bJb2Pb6H4g1y9v3RRLUsL+DtEA1 Zf5CtPNmP4E/DIyShn0crwDFYowTW8CNpVNvFQZ3fY1uqISSwMdHhakgv99eBkG4NCUL SNR7EQwGdw9Y9+gT+8vyT+T3pEATtrt6yWX/4/6tOqXrH0rTCTF1inAF8IQsAaZGw3C6 4KfkzJ4h5cwPHUuhDjL7TNDasaizr7GeRPYn99oGCJflbP6P2wpPYU4NlvOgkeSYo2wL fpVw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id sd27si180748ejb.1.2021.03.25.07.30.29 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Mar 2021 07:30:29 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12PEUSNt010545 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 25 Mar 2021 15:30:28 +0100 Received: from md1za8fc.ad001.siemens.net ([139.22.32.17]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12PEUSgI019673; Thu, 25 Mar 2021 15:30:28 +0100 Date: Thu, 25 Mar 2021 15:30:26 +0100 From: Henning Schild To: Jan Kiszka Cc: isar-users , Quirin Gylstorff , Harald Seiler Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust Message-ID: <20210325153026.5d51271a@md1za8fc.ad001.siemens.net> In-Reply-To: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: 1OhVk6cLi0/K I am beginning to think we should fix that upstream. If the upstream service file would generate the keys if missing ... all isar would need to do is remove the files. Either with a package hook or with a image-postprocess Am Thu, 25 Mar 2021 13:54:02 +0100 schrieb Jan Kiszka : > From: Jan Kiszka > > This improves a number of things: > > - stop the service while regenerating keys, rather than disabling its > auto-start Not sure this is going to work. There is this "Before=ssh.service" which i would expect makes sure it should never end up being "is-active". And that dpkg-reconfigure also plays with is-active ... /var/lib/dpkg/info/openssh-server.postinst The idea was to reuse the key generation code from that postinst, but the construct we need to build to get that to work seems to be getting out of hand and too complicated. In fact it is systemd-only, which could be an issue for some. Maybe running after ssh - remove - "create with own code" - "copy those few ssh-keygen lines" - or "source openssh-server.postinst && create_keys" - killall -HUP sshd (systemctl reload ssh) might turn out to be the simpler and easier to maintain version. For sure Harald should be involved, did add him to Cc. Henning > - fix restart test condition > - also check that /tmp is writable (better safe than sorry) > - do not disabling the regen service if it was not successful > > Signed-off-by: Jan Kiszka > --- > > This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh > server if previously disabled". > > .../sshd-regen-keys/files/sshd-regen-keys.service | 2 +- > .../sshd-regen-keys/files/sshd-regen-keys.sh | 14 > ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} | 0 > 3 files changed, 9 insertions(+), 7 deletions(-) > rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb > => sshd-regen-keys_0.4.bb} (100%) > > diff --git > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > index f50d34c8..e7142e69 100644 --- > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > +++ > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > @@ -5,13 +5,13 @@ Conflicts=shutdown.target > After=systemd-remount-fs.service Before=shutdown.target ssh.service > ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp > [Service] > Type=oneshot > RemainAfterExit=yes > Environment=DEBIAN_FRONTEND=noninteractive > ExecStart=/usr/sbin/sshd-regen-keys.sh > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > StandardOutput=syslog > StandardError=syslog > > diff --git > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index > 910d879b..9b19f9d3 100644 --- > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@ > -1,9 +1,9 @@ #!/usr/bin/env sh > echo -n "SSH server is " > -if systemctl is-enabled ssh; then > - SSHD_ENABLED="true" > - systemctl disable --no-reload ssh > +if systemctl is-active ssh; then > + SSHD_ACTIVE="true" > + systemctl stop ssh > fi > > echo "Removing keys ..." > @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key* > echo "Regenerating keys ..." > dpkg-reconfigure openssh-server > > -if test -n $SSHD_ENABLED; then > - echo "Reenabling ssh server ..." > - systemctl enable --no-reload ssh > +if test -n "$SSHD_ACTIVE"; then > + echo "Restarting ssh server ..." > + systemctl start ssh > fi > > +systemctl disable sshd-regen-keys.service > + > sync > diff --git > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > similarity index 100% rename from > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb