From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a2e:140b:: with SMTP id u11mr8418750ljd.125.1616747077176; Fri, 26 Mar 2021 01:24:37 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:b54d:: with SMTP id a13ls1828230ljn.3.gmail; Fri, 26 Mar 2021 01:24:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9LoXqq0oZMI++xhfaWLYGDChrGNir4IsC8zSxCMP4/lWHwlWOHzXbZEt3K44XvqQ3n+jx X-Received: by 2002:a2e:8159:: with SMTP id t25mr8299047ljg.84.1616747076160; Fri, 26 Mar 2021 01:24:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616747076; cv=none; d=google.com; s=arc-20160816; b=XOWidxdp2HiUkWvExE44fCw+tz6yW/A/iAt1dWfO8XFy1cTdbv1Oa9w6QtJQvXyKtv cUu1v4e2v6Y7wJw5px23IR+Q8VkSVkOoRQgSx7e3UqxjsPiwEmYx4tGcuM89F0lcp+p3 g8rYx1lTjFieShb6TkRNUQI1PcZFyif6hEJTXWfdNRljxNdDKpqTScjO2f6xa75uWxIw jzD/FMn9mtH4mVQvCa/hlMO/DzjviIg3hpOVg/dwlJNG31f9EvAw68m3HTWdV2znpUuA 9TNDPR4vMnBO+djChgDWIOVY7dL+R8QNZvVTdydCE7dr2JvVTLM1gOngdFruBeZjR0ph 9Y/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=0qN7Z5Gw+v38cbEya50nVU9lKIQG7hUY9/EWPtz3MRg=; b=ZihWuopedoEgqFYcDCKy6ImEEQTlTzBrThf9ZlYuG3vlXcLYuzOqJ316YJho8tY9Kf xF0y7s3D+IZfubTfmOF4PdclnxqTpoFZbHwiTBKu2h/d/KjsIuBXdJL1ezdpRAoD+C1+ fd8RkYu8F2yBHZcwm3w7oNmLTcE4dp0rSbdIj8RC0B207RI0lx/BtKEY7VCG4ejriGP6 mniZLQZ08DNBjR8n8HQ4RwBaY50sMyWCX2xds4jSkBZUTkTu4yTvJLvUBCwDB2RZnv38 PpMYsD1jZJI1vPQPBBPTI4+wucbLmbw7m8iB4mg8JMeFlH9+AgPXn/d2E9bsnmWzWqUp UMrg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id z5si351578ljj.5.2021.03.26.01.24.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 01:24:36 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12Q8OYCW016983 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 26 Mar 2021 09:24:34 +0100 Received: from md1za8fc.ad001.siemens.net ([167.87.42.23]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12Q8EXxP004777; Fri, 26 Mar 2021 09:14:33 +0100 Date: Fri, 26 Mar 2021 09:14:31 +0100 From: Henning Schild To: Jan Kiszka Cc: isar-users , Quirin Gylstorff , Harald Seiler Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust Message-ID: <20210326091431.02e5c498@md1za8fc.ad001.siemens.net> In-Reply-To: <20210326083551.4f90e50b@md1za8fc.ad001.siemens.net> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> <20210325153026.5d51271a@md1za8fc.ad001.siemens.net> <617ecfce-3b7e-cce7-ba5d-f86c87287e8b@siemens.com> <20210326083551.4f90e50b@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: bHJLhECn+v55 Am Fri, 26 Mar 2021 08:35:51 +0100 schrieb "[ext] Henning Schild" : > Am Thu, 25 Mar 2021 19:53:46 +0100 > schrieb Jan Kiszka : > > > On 25.03.21 15:30, Henning Schild wrote: > > > I am beginning to think we should fix that upstream. If the > > > upstream service file would generate the keys if missing ... all > > > isar would need to do is remove the files. Either with a package > > > hook or with a image-postprocess > > > > > > Am Thu, 25 Mar 2021 13:54:02 +0100 > > > schrieb Jan Kiszka : > > > > > >> From: Jan Kiszka > > >> > > >> This improves a number of things: > > >> > > >> - stop the service while regenerating keys, rather than > > >> disabling its auto-start > > > > > > Not sure this is going to work. There is this "Before=ssh.service" > > > which i would expect makes sure it should never end up being > > > "is-active". And that dpkg-reconfigure also plays with is-active > > > ... /var/lib/dpkg/info/openssh-server.postinst > > > > > > The idea was to reuse the key generation code from that postinst, > > > but the construct we need to build to get that to work seems to be > > > getting out of hand and too complicated. In fact it is > > > systemd-only, which could be an issue for some. > > > > > > Maybe running after ssh > > > - remove > > > - "create with own code" > > > - "copy those few ssh-keygen lines" > > > - or "source openssh-server.postinst && create_keys" > > > - killall -HUP sshd (systemctl reload ssh) > > > might turn out to be the simpler and easier to maintain version. > > > > > > For sure Harald should be involved, did add him to Cc. > > > > > > > I don't mind any simpler solution. It need to be robust as well, > > that's all. The one we have so far once again fell apart today and > > costed me hours to understand and resolve (because it was slow to > > reproduce). > > What i proposed should hopefully be more robust and simpler, but i > have no time to implement and test it. > > What could be even simpler > > /etc/systemd/system/sshd.service.d/generate-missing-keys.conf > [Service] > ExecStartPre= > ExecStartPre=/usr/bin/ssh-keygen -A > ExecStartPre=/usr/sbin/sshd -t > > DEBIAN_DEPENDS="openssh-server" > > postinst > rm -v /etc/ssh/ssh_host_*_key* > > That ExecStartPre is what seems to be missing in the service file from > debian because they seem to assume they fully deal with keys at > installation time and never at runtime. > Unfortunately we need 3 lines because we need to prepend before the > "sshd -t". First to "overwrite", second "our content", third "content > from original" Because of that prepend and having to copy existing "ExecStartPre" into the snippet, a Before-service is probably better. Because that simply does not care what the original service might look like. Did send a patch. regards, Henning > Tried that manually on a system, with the systemd snippet you get new > keys every time the exisiting ones go missing. > > regards, > Henning > > > > > Jan > > > > > Henning > > > > > >> - fix restart test condition > > >> - also check that /tmp is writable (better safe than sorry) > > >> - do not disabling the regen service if it was not successful > > >> > > >> Signed-off-by: Jan Kiszka > > >> --- > > >> > > >> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh > > >> server if previously disabled". > > >> > > >> .../sshd-regen-keys/files/sshd-regen-keys.service | 2 +- > > >> .../sshd-regen-keys/files/sshd-regen-keys.sh | 14 > > >> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} > > >> | 0 3 files changed, 9 insertions(+), 7 deletions(-) > > >> rename > > >> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb => > > >> sshd-regen-keys_0.4.bb} (100%) > > >> > > >> diff --git > > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > >> index f50d34c8..e7142e69 100644 --- > > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > >> +++ > > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > >> @@ -5,13 +5,13 @@ Conflicts=shutdown.target > > >> After=systemd-remount-fs.service Before=shutdown.target > > >> ssh.service ConditionPathIsReadWrite=/etc > > >> +ConditionPathIsReadWrite=/tmp [Service] > > >> Type=oneshot > > >> RemainAfterExit=yes > > >> Environment=DEBIAN_FRONTEND=noninteractive > > >> ExecStart=/usr/sbin/sshd-regen-keys.sh > > >> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > > >> StandardOutput=syslog > > >> StandardError=syslog > > >> > > >> diff --git > > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > >> index 910d879b..9b19f9d3 100644 --- > > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > >> +++ > > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > >> @@ -1,9 +1,9 @@ #!/usr/bin/env sh echo -n "SSH server is " > > >> -if systemctl is-enabled ssh; then > > >> - SSHD_ENABLED="true" > > >> - systemctl disable --no-reload ssh > > >> +if systemctl is-active ssh; then > > >> + SSHD_ACTIVE="true" > > >> + systemctl stop ssh > > >> fi > > >> > > >> echo "Removing keys ..." > > >> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key* > > >> echo "Regenerating keys ..." > > >> dpkg-reconfigure openssh-server > > >> > > >> -if test -n $SSHD_ENABLED; then > > >> - echo "Reenabling ssh server ..." > > >> - systemctl enable --no-reload ssh > > >> +if test -n "$SSHD_ACTIVE"; then > > >> + echo "Restarting ssh server ..." > > >> + systemctl start ssh > > >> fi > > >> > > >> +systemctl disable sshd-regen-keys.service > > >> + > > >> sync > > >> diff --git > > >> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > >> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > >> similarity index 100% rename from > > >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > >> rename to > > >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > > > > >