From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:ac2:4ed0:: with SMTP id p16mr19551965lfr.623.1617096121049; Tue, 30 Mar 2021 02:22:01 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:e86:: with SMTP id 128ls4715047lfo.0.gmail; Tue, 30 Mar 2021 02:22:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlYKF9Vd7J1BHh5pTvwr5bLYxKKXufeUf5Fh/3Q4dvhdFnKFimyqtFFQFHS5ZrqSrCRMgr X-Received: by 2002:a05:6512:202b:: with SMTP id s11mr20118114lfs.22.1617096119987; Tue, 30 Mar 2021 02:21:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617096119; cv=none; d=google.com; s=arc-20160816; b=I+Z4VaN3PYhTRH4yuoCnGpZ2BtaiJEn3+WZZQpj385AKkRyEFbfZLVBpTsploKLvLo iKcg5aWed0Qe/xEQO6C1LNBnJBkj9TC7E2RkFI7M6MPHuhzzEnaiFCA4CStsCbcxpDmo J7miyZI0/7ItTIFiOc3e77wruwWHYzMtcwp8sjxBowWzSyXzNX32BT4GGkcXdtvsHKov 8kFdMqmvuEPGt+F7wbFfTkTfJ17UM/cd4tniUK8Nn+WTcqu+mXNjQjhSI7xoA+jsaq2/ 9MjcOJbGNbi+QY3fSt0dwNgdE3BtEL5P6BzRIq42bDbJqA+LahU1MZ/QSZHtvqBsLCaJ uqUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=6CV7L2MjbkDHieJnPLsreSRipk2j7/Q1tst0KRXprcM=; b=bhfeUeSFI3j5zm0sVt/OqQykeuIuD3NQg2yP4/gMW6p89TkDWrFasYQvRhgFTKigbk yvh+Nx4eR5O99MNLIXr/okZqW0w9PWK812l3UpzKR3wIDeNvK266dA4nn9P9SYkVzk6U 6EEpFHA6lVHWYBZsOIredvy77u6hchZXAc1c9zQstIEzg3TzmOvCIdINpm4YNRO8SkTN nGLy8tAv1WNHmbTKXLTN94LZ6MiOSHAfZ/lEBitrJHQqU6z7pZRTgD5cWc6sCt11EuIx j2S5PYS3pfJlaXy0RTdTRwGsoVg+brjy2szXZlTM7C6t0i4c1+m7IN/lLrwE41Swf44w bhTQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id b12si69333lfv.7.2021.03.30.02.21.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Mar 2021 02:21:59 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 12U9LvmK004976 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Mar 2021 11:21:57 +0200 Received: from md1za8fc.ad001.siemens.net ([167.87.2.166]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12U9LvB5021120; Tue, 30 Mar 2021 11:21:57 +0200 Date: Tue, 30 Mar 2021 11:21:56 +0200 From: Henning Schild To: Harald Seiler , Jan Kiszka Cc: isar-users Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust Message-ID: <20210330112156.00a67345@md1za8fc.ad001.siemens.net> In-Reply-To: References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> <20210326081108.26648-1-henning.schild@siemens.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TUID: C6bwrYxWBB1x Am Fri, 26 Mar 2021 10:44:39 +0100 schrieb Harald Seiler : > Hi, >=20 > On Fri, 2021-03-26 at 09:11 +0100, Henning Schild wrote: > > Switch to using "/usr/bin/ssh-keygen -A" instead of > > dpkg-reconfigure. With this we would generate new host keys every > > time the service starts and no keys exist. Removing the keys from > > openssh-server in a postinst makes it complete so that we really > > only generate on the first boot. > >=20 > > This is easier to handle that reusing the debian package hooks for > > key generation. =20 >=20 > Yes, this is a _much_ more robust solution, I agree. The debian hooks > were a mess to deal with and we had so many edge cases over time that > not relying on them here is a much better choice. This also means > the package would now work on a target where dpkg was removed for > size constraints. Thanks for the positive review. @Jan did you get around testing this for your use-case? Henning > > Signed-off-by: Henning Schild > > --- > > =C2=A0.../sshd-regen-keys/files/postinst | 2 ++ > > =C2=A0.../files/sshd-regen-keys.service | 4 +--- > > =C2=A0.../sshd-regen-keys/files/sshd-regen-keys.sh | 20 > > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | > > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | > > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) > > =C2=A0delete mode 100644 > > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > delete mode 100644 > > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create > > mode 100644 > > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > >=20 > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst > > b/meta/recipes-support/sshd-regen-keys/files/postinst index > > ae722a7349a2..1c9b03e3e040 100644 --- > > a/meta/recipes-support/sshd-regen-keys/files/postinst +++ > > b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 > > @@ #!/bin/sh > > =C2=A0set -e > > =C2=A0 > >=20 > > +rm /etc/ssh/ssh_host_*_key* > > + =20 >=20 > Just to make sure, this will always run after the openssh-server > postinst which initially generates the keys? >=20 > > =C2=A0systemctl enable sshd-regen-keys.service > > diff --git > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > index f50d34c820d8..af98d5e9e966 100644 --- > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > +++ > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=3D/etc [Service] > > Type=3Doneshot RemainAfterExit=3Dyes > > -Environment=3DDEBIAN_FRONTEND=3Dnoninteractive > > -ExecStart=3D/usr/sbin/sshd-regen-keys.sh > > -ExecStartPost=3D-/bin/systemctl disable sshd-regen-keys.service > > +ExecStart=3D/usr/bin/ssh-keygen -A StandardOutput=3Dsyslog > > =C2=A0StandardError=3Dsyslog =20 >=20 > This is also much cleaner because it no longer relies on the "self > disabling service hack". Much preferred! Not sure if worth it, > because ssh-keygen already ignores existing keys, but maybe we could > add some >=20 > ConditionPathExists=3D|!/etc/ssh/ssh_host_ecdsa_key > ConditionPathExists=3D|!/etc/ssh/ssh_host_ed25519_key > ConditionPathExists=3D|!/etc/ssh/ssh_host_rsa_key >=20 > (=3D=3D systemd will skip the unit if all keys are present). This would > also hide the service in the startup log when all keys exist where it > would otherwise show up unconditionally. >=20 > > diff --git > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > deleted file mode 100644 index 910d879ba51f..000000000000 --- > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ > > /dev/null @@ -1,20 +0,0 @@ > > -#!/usr/bin/env sh > > - > > -echo -n "SSH server is " > > -if systemctl is-enabled ssh; then > > - SSHD_ENABLED=3D"true" > > - systemctl disable --no-reload ssh > > -fi > > - > > -echo "Removing keys ..." > > -rm -v /etc/ssh/ssh_host_*_key* > > - > > -echo "Regenerating keys ..." > > -dpkg-reconfigure openssh-server > > - > > -if test -n $SSHD_ENABLED; then > > - echo "Reenabling ssh server ..." > > - systemctl enable --no-reload ssh > > -fi > > - > > -sync > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > deleted file mode 100644 index 6f12414239a3..000000000000 --- > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ > > /dev/null @@ -1,17 +0,0 @@ > > -# This software is a part of ISAR. > > -inherit dpkg-raw > > - > > -DESCRIPTION =3D "Systemd service to regenerate sshd keys" > > -MAINTAINER =3D "isar-users " > > -DEBIAN_DEPENDS =3D "openssh-server, systemd" > > - > > -SRC_URI =3D "file://postinst \ > > - file://sshd-regen-keys.service \ > > - file://sshd-regen-keys.sh" > > - > > -do_install[cleandirs] =3D "${D}/lib/systemd/system \ > > - ${D}/usr/sbin" > > -do_install() { > > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" > > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" > > "${D}/usr/sbin/sshd-regen-keys.sh" -} > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new > > file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null > > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > @@ -0,0 +1,14 @@ > > +# This software is a part of ISAR. > > +inherit dpkg-raw > > + > > +DESCRIPTION =3D "Systemd service to regenerate sshd keys" > > +MAINTAINER =3D "isar-users " > > +DEBIAN_DEPENDS =3D "openssh-server, systemd" > > + > > +SRC_URI =3D "file://postinst \ > > + file://sshd-regen-keys.service" > > + > > +do_install() { > > + install -m 0755 "${D}/lib/systemd/system" > > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" +} > > --=20 > > 2.26.3 =20 >=20 > Otherwise: >=20 > Reviewed-by: Harald Seiler >=20