From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a5d:6c67:: with SMTP id r7mr13368622wrz.373.1616750956385; Fri, 26 Mar 2021 02:29:16 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:6a89:: with SMTP id s9ls493421wru.2.gmail; Fri, 26 Mar 2021 02:29:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxib9ZuHMyr9TpAEYnheXrE/m3zKh4EUQD+xY8cpyGHi8ekVPz2JvEX0LElcDEp/ITRS83y X-Received: by 2002:adf:9bca:: with SMTP id e10mr13486928wrc.364.1616750955547; Fri, 26 Mar 2021 02:29:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616750955; cv=none; d=google.com; s=arc-20160816; b=UgMz+HP3v4yT+B/4Q7UdMXqoCxjjcOVcWla3sjTDgh2pfXaEA2QfgKoOStusEmYL4g 24DgJDbvxMSuJd5lhZmwuKs8YEIrN3X8hrD05aKo41Bv3zymXuqheSBEfFJQCcVpD95E NQWuwrl1yzZrjtK0wxdgi2j7SDwE/ssImWvIu1dOu1Jkmyp/bpNAMdhH4R5BbysSEInE IHZMBYKH0cqm1iI7XzTNlgYLe0p4FYW/wrwOpcmdk3mk/tYBIUemWaWqxbeeM0EQQTGp HsjKQ6IDXWa4lIjLBaMpnGaz740K7wbnqcdiTgS2yZxTd7qFHo52VxTnnlZDAqX0Blu9 65ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=OHyck4bHzorQz/WYIMwvg/KWeX+cB4hQ/VWyL5KAlI4=; b=vq+gL5zWzd/T/gzE9W5bvtEVFiwwCi47jvd086A3ChPneiJTZx4QRj42ee0FDUUhdS FPd/lkB0AptSgrsktuCo46R89JlfdmRiN7esdBOwZ4E4JB2xeVLwFYyoSdNp/BJDXLUP gumYFzWJMxiKXFEBoTUW9Cih/GdAVQ07b6w6utZyR5RY9i2z6hX9BXogJOYQLjIrT/Th iSYYhoUJ3EymLia1EoaVqezc9SE0wKFcGpaL2SxzeI1Wk3kXzdKoPLqIISZu7FhlY/4d wF5NjkHWYeEvhkPeY6mjifD1ZmnviAV5tPjJbem6Y3lGuNgL+B5547KLi2GQVe56syV8 LHag== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id q145si544967wme.1.2021.03.26.02.29.15 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 02:29:15 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12Q9TEME030270 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 26 Mar 2021 10:29:14 +0100 Received: from md1za8fc.ad001.siemens.net ([167.87.42.23]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12Q9ODaa001480; Fri, 26 Mar 2021 10:24:13 +0100 Date: Fri, 26 Mar 2021 10:24:11 +0100 From: Henning Schild To: isar-users Cc: Jan Kiszka , Harald Seiler , Quirin Gylstorff Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust Message-ID: <20210326102411.7a419a47@md1za8fc.ad001.siemens.net> In-Reply-To: <20210326081108.26648-1-henning.schild@siemens.com> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> <20210326081108.26648-1-henning.schild@siemens.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: gs6mITqY6lzh This uses the same subject line as the patch from Jan, maybe i should have used v2 or another line. It is the outcome of the review on Jans patch but uses a different approach on key regeneration. Jan please test it and let me know what you think. Feel free to take over and massage it further in case this looks like a valid approach. regards, Henning Am Fri, 26 Mar 2021 09:11:08 +0100 schrieb Henning Schild : > Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. > With this we would generate new host keys every time the service > starts and no keys exist. Removing the keys from openssh-server in a > postinst makes it complete so that we really only generate on the > first boot. > > This is easier to handle that reusing the debian package hooks for key > generation. > > Signed-off-by: Henning Schild > --- > .../sshd-regen-keys/files/postinst | 2 ++ > .../files/sshd-regen-keys.service | 4 +--- > .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) > delete mode 100644 > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete > mode 100644 > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create > mode 100644 > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst > b/meta/recipes-support/sshd-regen-keys/files/postinst index > ae722a7349a2..1c9b03e3e040 100644 --- > a/meta/recipes-support/sshd-regen-keys/files/postinst +++ > b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@ > #!/bin/sh > set -e > > +rm /etc/ssh/ssh_host_*_key* > + > systemctl enable sshd-regen-keys.service > diff --git > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > index f50d34c820d8..af98d5e9e966 100644 --- > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > +++ > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot > RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive > -ExecStart=/usr/sbin/sshd-regen-keys.sh > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > +ExecStart=/usr/bin/ssh-keygen -A > StandardOutput=syslog > StandardError=syslog > > diff --git > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > deleted file mode 100644 index 910d879ba51f..000000000000 --- > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ > /dev/null @@ -1,20 +0,0 @@ > -#!/usr/bin/env sh > - > -echo -n "SSH server is " > -if systemctl is-enabled ssh; then > - SSHD_ENABLED="true" > - systemctl disable --no-reload ssh > -fi > - > -echo "Removing keys ..." > -rm -v /etc/ssh/ssh_host_*_key* > - > -echo "Regenerating keys ..." > -dpkg-reconfigure openssh-server > - > -if test -n $SSHD_ENABLED; then > - echo "Reenabling ssh server ..." > - systemctl enable --no-reload ssh > -fi > - > -sync > diff --git > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted > file mode 100644 index 6f12414239a3..000000000000 --- > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ > /dev/null @@ -1,17 +0,0 @@ > -# This software is a part of ISAR. > -inherit dpkg-raw > - > -DESCRIPTION = "Systemd service to regenerate sshd keys" > -MAINTAINER = "isar-users " > -DEBIAN_DEPENDS = "openssh-server, systemd" > - > -SRC_URI = "file://postinst \ > - file://sshd-regen-keys.service \ > - file://sshd-regen-keys.sh" > - > -do_install[cleandirs] = "${D}/lib/systemd/system \ > - ${D}/usr/sbin" > -do_install() { > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" > "${D}/lib/systemd/system/sshd-regen-keys.service" > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" > "${D}/usr/sbin/sshd-regen-keys.sh" -} > diff --git > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new > file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > @@ -0,0 +1,14 @@ > +# This software is a part of ISAR. > +inherit dpkg-raw > + > +DESCRIPTION = "Systemd service to regenerate sshd keys" > +MAINTAINER = "isar-users " > +DEBIAN_DEPENDS = "openssh-server, systemd" > + > +SRC_URI = "file://postinst \ > + file://sshd-regen-keys.service" > + > +do_install() { > + install -m 0755 "${D}/lib/systemd/system" > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" > "${D}/lib/systemd/system/sshd-regen-keys.service" +}