From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a2e:89d0:: with SMTP id c16mr1746852ljk.450.1616747174655; Fri, 26 Mar 2021 01:26:14 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6512:3d16:: with SMTP id d22ls23943lfv.1.gmail; Fri, 26 Mar 2021 01:26:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCE96ZS/7BoSmIx7JK3SLO5EZlLv1tTP+It5ANNfSl471E+nZlmFq2zJpeTXET303mRj1X X-Received: by 2002:a05:6512:3298:: with SMTP id p24mr7078911lfe.221.1616747173673; Fri, 26 Mar 2021 01:26:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616747173; cv=none; d=google.com; s=arc-20160816; b=QPKosbcJAgbxQ4WDnfKTxjBp/IIKNUn5XIkpLaTD6a0KDkquMh+3dkmPalpl7V9Zwv suAtvIcd7hdi29SEOyMh6ZwetiftvPy3hqDySsqRp8wKzGaIlVSXj2oPNmPfm653IU00 NJgmBx9UczQd6vQsEPkxj40M5BhWChcui4nY4yTXttni9V+YeeUeBh8qniYpInjtEMl3 FHAO17JJAKys971Mpi7PCaMzZB6Yr23395V+IyBOi0uKovH/MZfTvJ2xIfhf8Rt8BXud Bs/qV/DFPDKtewK2Upy+80nrEFPIbue/mxJokpzCFYufORMR4IoIaqyKVOPoDtb+kGSY MpmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=8fQa8PEr5eRoo5YF6zkFp+lfmw003Vf0aPgilerp70A=; b=PSDEWHALYJqukZ3LoP1HWXDqo0mUZuo4APUKgOSXzi/v8cCsn8bmaUBn83fHsiUY3N BSaGdqkb40XnQfqM4xaFHxk9QRDs4prljPVGuq/qupYYG+F8wlJGw4nTRtJKJJ5o0xzL C4kmJlIVG/2Qz0SvfrhGXyvVMD5aaVVB7NM6Jq0bryPuFHMGSUZC4nuukhOCOm/JFRZc JVoYLWXXpUiYCefOHNHtrOceiQHef2jSKdi1A9BqRuzr4DqfkgeS8OegjcSoUUtDMu8j Qw6zPrfxNwzvrE6ms1ZCFZIH8TDFhRFeoxh3kVTV6e3ifU8qaRgPQMRt9cfpKGPCy+ZX E6sA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id a10si309850lfs.11.2021.03.26.01.26.13 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 01:26:13 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12Q8QCgw019108 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 26 Mar 2021 09:26:12 +0100 Received: from localhost.localdomain ([167.87.42.23]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12Q8BCCi028525; Fri, 26 Mar 2021 09:11:12 +0100 From: Henning Schild To: isar-users Cc: Jan Kiszka , Henning Schild Subject: [PATCH] sshd-regen-keys: Improve service, make more robust Date: Fri, 26 Mar 2021 09:11:08 +0100 Message-Id: <20210326081108.26648-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: 6EL9hc4NwcmN Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. With this we would generate new host keys every time the service starts and no keys exist. Removing the keys from openssh-server in a postinst makes it complete so that we really only generate on the first boot. This is easier to handle that reusing the debian package hooks for key generation. Signed-off-by: Henning Schild --- .../sshd-regen-keys/files/postinst | 2 ++ .../files/sshd-regen-keys.service | 4 +--- .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst index ae722a7349a2..1c9b03e3e040 100644 --- a/meta/recipes-support/sshd-regen-keys/files/postinst +++ b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@ #!/bin/sh set -e +rm /etc/ssh/ssh_host_*_key* + systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c820d8..af98d5e9e966 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive -ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh deleted file mode 100644 index 910d879ba51f..000000000000 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env sh - -echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh -fi - -echo "Removing keys ..." -rm -v /etc/ssh/ssh_host_*_key* - -echo "Regenerating keys ..." -dpkg-reconfigure openssh-server - -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh -fi - -sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted file mode 100644 index 6f12414239a3..000000000000 --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ /dev/null @@ -1,17 +0,0 @@ -# This software is a part of ISAR. -inherit dpkg-raw - -DESCRIPTION = "Systemd service to regenerate sshd keys" -MAINTAINER = "isar-users " -DEBIAN_DEPENDS = "openssh-server, systemd" - -SRC_URI = "file://postinst \ - file://sshd-regen-keys.service \ - file://sshd-regen-keys.sh" - -do_install[cleandirs] = "${D}/lib/systemd/system \ - ${D}/usr/sbin" -do_install() { - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" -} diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb @@ -0,0 +1,14 @@ +# This software is a part of ISAR. +inherit dpkg-raw + +DESCRIPTION = "Systemd service to regenerate sshd keys" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "openssh-server, systemd" + +SRC_URI = "file://postinst \ + file://sshd-regen-keys.service" + +do_install() { + install -m 0755 "${D}/lib/systemd/system" + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" +} -- 2.26.3