From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a05:6000:181b:: with SMTP id m27mr33756109wrh.363.1617099446685; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:d1c8:: with SMTP id b8ls1162223wrd.3.gmail; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxkFH/SgfOPJNrniyNQza99H2lfMh2P7DjUWfoVsopu/Ins+2RdFq+7zPICtK0ypSec/9Fv X-Received: by 2002:a05:6000:362:: with SMTP id f2mr25271446wrf.141.1617099446002; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617099445; cv=none; d=google.com; s=arc-20160816; b=nWQryBe6LwIHpJ5Hai0Z+0jaKQoROmUg2IoU1P2DewRMyDei7J6er54QHWyf2iYM+s sfL+UWrGMmccwfkbJiT8rMMvEKEHNBfT5CPL9sDwI8SYXPkEqWz3lTUsWWCE5wbqoaaC tVKMK6e/pvs8OylTiT3Tt5cfHcRjquENutUuTqQf2N0uJWWjAJK3F3IHxtD8q1CHQpwm +jlup8SNDq3CKKmVPYtqe2FaHteTvlpTk0rKdy/per20Uco1xf5I5QsRZhPS4L65+vME kvWWT+dm7q1KEfaHzBO3i2pQyK+5cg6X6Au9/7aolfMXC2GZ2rT5xGlwjLVVYDnWv27M cQ2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=zvs/c2NOl51/pnQIVKdlH5LzVi0eZioTGv9/F5AuzPU=; b=bRzUw+NghdOXaU6zDk/MmR6cE6KUzIaKyX4IILqbciOR7RsPUutKiMCiMn3sA1BM0W qkr0NyPm1EJ7TsVDg7PTPhbtd92G0vbJhwTXTUt5aL7i7mK2iRCatA7bji21V5zeUUBm Df8I+PWWpm/Z76KQeNOrWbymAJLKjw86bMcdZkNjRaN8TKQbVDcfcKFu8kxPiNPpplWJ 2Dweg38z+ZJvWFLi8EOmcLe99Xdb39EoSyLAKvbFy7CnlYSuGl1d2HBj3O5HcIe4KoUY G3ymXdhJ+XeHu/KCWqMz68Vi2ICiN+IcuLBgNipEznpho50dIzVunH+1J8Y1w6wwxq8+ ghog== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id b5si139621wmc.2.2021.03.30.03.17.25 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Mar 2021 03:17:25 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 12UAHP3e008352 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Mar 2021 12:17:25 +0200 Received: from localhost.localdomain ([167.87.2.166]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12UAHOxe008718; Tue, 30 Mar 2021 12:17:24 +0200 From: Henning Schild To: isar-users Cc: Jan Kiszka , Harald Seiler , Henning Schild Subject: [PATCH v2] sshd-regen-keys: Improve service, make more robust Date: Tue, 30 Mar 2021 12:17:22 +0200 Message-Id: <20210330101722.10371-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.26.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: 1Km2u8vIf3r5 Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. With this we would generate new host keys every time the service starts and no keys exist. Removing the keys from openssh-server in a postinst makes it complete so that we really only generate on the first boot. This is easier to handle that reusing the debian package hooks for key generation. Signed-off-by: Henning Schild --- .../sshd-regen-keys/files/postinst | 2 ++ .../files/sshd-regen-keys.service | 4 +--- .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst index ae722a7349a2..1c9b03e3e040 100644 --- a/meta/recipes-support/sshd-regen-keys/files/postinst +++ b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@ #!/bin/sh set -e +rm /etc/ssh/ssh_host_*_key* + systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c820d8..af98d5e9e966 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive -ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh deleted file mode 100644 index 910d879ba51f..000000000000 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env sh - -echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh -fi - -echo "Removing keys ..." -rm -v /etc/ssh/ssh_host_*_key* - -echo "Regenerating keys ..." -dpkg-reconfigure openssh-server - -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh -fi - -sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted file mode 100644 index 6f12414239a3..000000000000 --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ /dev/null @@ -1,17 +0,0 @@ -# This software is a part of ISAR. -inherit dpkg-raw - -DESCRIPTION = "Systemd service to regenerate sshd keys" -MAINTAINER = "isar-users " -DEBIAN_DEPENDS = "openssh-server, systemd" - -SRC_URI = "file://postinst \ - file://sshd-regen-keys.service \ - file://sshd-regen-keys.sh" - -do_install[cleandirs] = "${D}/lib/systemd/system \ - ${D}/usr/sbin" -do_install() { - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" -} diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new file mode 100644 index 000000000000..9ce1d8d88300 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb @@ -0,0 +1,14 @@ +# This software is a part of ISAR. +inherit dpkg-raw + +DESCRIPTION = "Systemd service to regenerate sshd keys" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "openssh-server, systemd" + +SRC_URI = "file://postinst \ + file://sshd-regen-keys.service" + +do_install() { + install -d -m 0755 "${D}/lib/systemd/system" + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" +} -- 2.26.3