From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6943578040844681216
X-Received: by 2002:a17:906:4146:: with SMTP id l6mr14176837ejk.295.1616745056549;
        Fri, 26 Mar 2021 00:50:56 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6402:3592:: with SMTP id y18ls6317439edc.0.gmail; Fri,
 26 Mar 2021 00:50:55 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwbsjG7KKB/b6WeW+rKnM9+Efgmj6ZqtQNLrh7aC7coyvkEEcX3lLEP+9lArYs7mmpCokIB
X-Received: by 2002:aa7:cf95:: with SMTP id z21mr13204411edx.76.1616745055660;
        Fri, 26 Mar 2021 00:50:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616745055; cv=none;
        d=google.com; s=arc-20160816;
        b=FjpqlvlEXGDfD1lgIgHpLmhH5mU6uDQtbRDwQXItw9znmdLOhHtigMHSYYpgBgaZsa
         fEl7irXzJrbsozib+aFXKMxlYalTDfNZy7x8uST5lwACZ1GNZ5xRH/30mHRF32pW6z5a
         A6UcpANGkXkJ4pnmnjmV35JRBD+gpu0chLr0kR4ZmLn3drpnDdiSOFJj3FoCYp9M5Z3y
         acpcj76hPadfu2SZo8gni56VXVtBhXKwjX9kwOuAtwkGE6CRu6GpvDzsYGQ2OoQLudxq
         o+hcZ3o9xLHwofJoVNvthw5HPAMnlWJNq8pNG/TCsxXXWcHdsXxezltPL26rlubbfvAl
         uvjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=8tYdG5+lz4YgJBJmwoqu/TRELYsrgmVb+giEkMM9jnk=;
        b=XIqIxGIqtWkeScX8KzsK2aQzSTV+Qih9oksGkKZvuVUCZGtrkMjhBTWsUddcqSb2o3
         hgo2PEiyL/TUIHLda3ObH5BdU5/UnSiejJePf2I90zPLvB/v1fe7TDwnjf8xjPc7HjBH
         Pks08UpSUwEjrGghMnE0iUoaxG2yUFw0saPhVHyGpDGoFZhEKWIoRBrLnmhS4I7S9A75
         I6pIV/4Ytsx69Ob9WzPAS9jIV759UaTOX+7eyNvYdRYhetPH0wzYvjR0crzBxFvGN8ZX
         zi/NipiYq+yu+wdDWgN5Unke5Ctt0M+ca+2+LMpb6KBDzd1+rDyuMcc0RttFiAXPbIW5
         eakg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id df17si344361edb.3.2021.03.26.00.50.55
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 26 Mar 2021 00:50:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12Q7osJk010273
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 26 Mar 2021 08:50:54 +0100
Received: from md1za8fc.ad001.siemens.net ([167.87.42.23])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12Q7ZrWP022821;
	Fri, 26 Mar 2021 08:35:53 +0100
Date: Fri, 26 Mar 2021 08:35:51 +0100
From: Henning Schild <henning.schild@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: isar-users <isar-users@googlegroups.com>,
        Quirin Gylstorff
 <quirin.gylstorff@siemens.com>,
        Harald Seiler <hws@denx.de>
Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust
Message-ID: <20210326083551.4f90e50b@md1za8fc.ad001.siemens.net>
In-Reply-To: <617ecfce-3b7e-cce7-ba5d-f86c87287e8b@siemens.com>
References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com>
	<20210325153026.5d51271a@md1za8fc.ad001.siemens.net>
	<617ecfce-3b7e-cce7-ba5d-f86c87287e8b@siemens.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: V4BBYoolyivs

Am Thu, 25 Mar 2021 19:53:46 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 25.03.21 15:30, Henning Schild wrote:
> > I am beginning to think we should fix that upstream. If the upstream
> > service file would generate the keys if missing ... all isar would
> > need to do is remove the files. Either with a package hook or with a
> > image-postprocess
> > 
> > Am Thu, 25 Mar 2021 13:54:02 +0100
> > schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> >   
> >> From: Jan Kiszka <jan.kiszka@siemens.com>
> >>
> >> This improves a number of things:
> >>
> >>  - stop the service while regenerating keys, rather than disabling
> >> its auto-start  
> > 
> > Not sure this is going to work. There is this "Before=ssh.service"
> > which i would expect makes sure it should never end up being
> > "is-active". And that dpkg-reconfigure also plays with is-active ...
> > /var/lib/dpkg/info/openssh-server.postinst
> > 
> > The idea was to reuse the key generation code from that postinst,
> > but the construct we need to build to get that to work seems to be
> > getting out of hand and too complicated. In fact it is
> > systemd-only, which could be an issue for some.
> > 
> > Maybe running after ssh
> > - remove
> > - "create with own code"
> >   - "copy those few ssh-keygen lines"
> >   - or "source openssh-server.postinst && create_keys"
> > - killall -HUP sshd (systemctl reload ssh)
> > might turn out to be the simpler and easier to maintain version.
> > 
> > For sure Harald should be involved, did add him to Cc.
> >   
> 
> I don't mind any simpler solution. It need to be robust as well,
> that's all. The one we have so far once again fell apart today and
> costed me hours to understand and resolve (because it was slow to
> reproduce).

What i proposed should hopefully be more robust and simpler, but i have
no time to implement and test it.

What could be even simpler

/etc/systemd/system/sshd.service.d/generate-missing-keys.conf
 [Service]
 ExecStartPre=
 ExecStartPre=/usr/bin/ssh-keygen -A
 ExecStartPre=/usr/sbin/sshd -t

DEBIAN_DEPENDS="openssh-server"

postinst
 rm -v /etc/ssh/ssh_host_*_key*

That ExecStartPre is what seems to be missing in the service file from
debian because they seem to assume they fully deal with keys at
installation time and never at runtime.
Unfortunately we need 3 lines because we need to prepend before the
"sshd -t". First to "overwrite", second "our content", third "content
from original"

Tried that manually on a system, with the systemd snippet you get new
keys every time the exisiting ones go missing. 

regards,
Henning

> 
> Jan
> 
> > Henning
> >   
> >>  - fix restart test condition
> >>  - also check that /tmp is writable (better safe than sorry)
> >>  - do not disabling the regen service if it was not successful
> >>
> >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> >> ---
> >>
> >> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
> >> server if previously disabled".
> >>
> >>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
> >>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
> >> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb}
> >> |  0 3 files changed, 9 insertions(+), 7 deletions(-)
> >>  rename
> >> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb =>
> >> sshd-regen-keys_0.4.bb} (100%)  
> >>
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> index f50d34c8..e7142e69 100644 ---
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> +++
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
> >> After=systemd-remount-fs.service Before=shutdown.target ssh.service
> >> ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp 
> >>  [Service]
> >>  Type=oneshot
> >>  RemainAfterExit=yes
> >>  Environment=DEBIAN_FRONTEND=noninteractive
> >>  ExecStart=/usr/sbin/sshd-regen-keys.sh
> >> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> >>  StandardOutput=syslog
> >>  StandardError=syslog
> >>  
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >> index 910d879b..9b19f9d3 100644 ---
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@
> >> -1,9 +1,9 @@ #!/usr/bin/env sh 
> >>  echo -n "SSH server is "
> >> -if systemctl is-enabled ssh; then
> >> -    SSHD_ENABLED="true"
> >> -    systemctl disable --no-reload ssh
> >> +if systemctl is-active ssh; then
> >> +    SSHD_ACTIVE="true"
> >> +    systemctl stop ssh
> >>  fi
> >>  
> >>  echo "Removing keys ..."
> >> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
> >>  echo "Regenerating keys ..."
> >>  dpkg-reconfigure openssh-server
> >>  
> >> -if test -n $SSHD_ENABLED; then
> >> -    echo "Reenabling ssh server ..."
> >> -    systemctl enable --no-reload ssh
> >> +if test -n "$SSHD_ACTIVE"; then
> >> +    echo "Restarting ssh server ..."
> >> +    systemctl start ssh
> >>  fi
> >>  
> >> +systemctl disable sshd-regen-keys.service
> >> +
> >>  sync
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> >> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> >> similarity index 100% rename from
> >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename
> >> to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb  
> >   
>