Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust

[Henning Schild <henning.schild@siemens.com>]

Am Wed, 28 Apr 2021 14:21:38 +0200
schrieb "Moessbauer, Felix (T RDA IOT SES-DE)"
<felix.moessbauer@siemens.com>:

> Hi,
> 
> While this patch definitely improves the situation, there are still a
> couple of issues:
> 
> 1. Reinstalling:
> When apt-get updating the package, the host's ssh-keys are removed.
> IMO it would be better to create a backup in the pre-rm step and
> restore that in postinst. An alternative would be, to remove the ssh
> keys using ISAR in a post-processing step. Then no postinst script is
> required (that's similar to how the sshd-keygen@.service in fedora
> works).

Good catch! I will try to make something up. Problem with a backup is
that we do not want that backup on the first install, but with the
pre-rm you suggested it might just work.
The postprocess would be a clean way as well, but that would need to be
conditional if the package is installed. Because the systemd units will
not generate keys if missing and sshd will not come up. But i think
that can be done and is better than the backup cycle.

> 2. Systemd dependencies:
> It has to run as early as possible and anyways before the
> sshd-service. On some systems like fedora, there is already a
> sshd-keygen@.service that takes care of re-generating the keys if
> they are not present (as part of the openssh-server package). We
> should conflict on that, or better auto-disable in case this service
> is installed. I don't know if Debian plans to add something similar.

I guess you mean that sshd-regen-keys.service needs to finish for sure
before ssh@.service comes up. That seems to missing as you say, thanks!
A systemd dep would be the way to go, we failed with enable/disable
stuff before.

> 3. Compatibility with upstream
> If more distros accept the sshd-keygen service approach, we do not
> want to diverge here. Maybe, it would be better to just port this
> approach to Debian / ISAR and deploy images without pre-installed
> ssh-keys.

That in fact sound like the most promising way to go, but also the
hardest. If debian would simply "generate if missing" and not "generate
at install time" that would be it. I think they did that in init
scripts before systemd became a thing.

One more thing we discussed internally is "cloud-init". That solves the
same problem and is packaged in debian. In fact it might address more
that might be relevant for images that get distributed to many
machines. But we also found that it is kind of heavy, pulling in
python3 and libs.

At the moment i have no clue how to proceed and will need to think
about it. I would say that "apt-get update" is maybe not something that
most Isar users want to use. We also have severe kernel update issues
with our wic, where at least legacy is affected and kernel updates will
not work. Not a nice situation ... but it takes the pressure out of
this one a bit.

Anyone feel free to discuss further to help out.

regards,
Henning

> Best regards,
> Felix
> 
> > -----Original Message-----
> > From: isar-users@googlegroups.com <isar-users@googlegroups.com> On
> > Behalf Of [ext] Henning Schild
> > Sent: Tuesday, March 30, 2021 12:17 PM
> > To: isar-users <isar-users@googlegroups.com>
> > Cc: Kiszka, Jan (T RDA IOT) <jan.kiszka@siemens.com>; Harald Seiler
> > <hws@denx.de>; Schild, Henning (T RDA IOT SES-DE)
> > <henning.schild@siemens.com>
> > Subject: [PATCH v2] sshd-regen-keys: Improve service, make more
> > robust
> >
> > Switch to using "/usr/bin/ssh-keygen -A" instead of
> > dpkg-reconfigure. With this we would generate new host keys every
> > time the service starts and no keys exist. Removing the keys from
> > openssh-server in a postinst makes it complete so that we really
> > only generate on the first boot.
> >
> > This is easier to handle that reusing the debian package hooks for
> > key generation.
> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  .../sshd-regen-keys/files/postinst            |  2 ++
> >  .../files/sshd-regen-keys.service             |  4 +---
> >  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
> >  delete mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-
> > keys_0.3.bb create mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen- keys_0.4.bb
> >
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> > b/meta/recipes-support/sshd-regen-keys/files/postinst
> > index ae722a7349a2..1c9b03e3e040 100644
> > --- a/meta/recipes-support/sshd-regen-keys/files/postinst
> > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> > @@ -1,4 +1,6 @@
> >  #!/bin/sh
> >  set -e
> >
> > +rm /etc/ssh/ssh_host_*_key*
> > +
> >  systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-
> > support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-
> > support/sshd-regen-keys/files/sshd-regen-keys.service index
> > f50d34c820d8..af98d5e9e966 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc  [Service]
> > Type=oneshot RemainAfterExit=yes
> > -Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/usr/sbin/sshd-regen-keys.sh
> > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog
> > StandardError=syslog
> >
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > deleted file mode 100644 index 910d879ba51f..000000000000
> > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > +++ /dev/null
> > @@ -1,20 +0,0 @@
> > -#!/usr/bin/env sh
> > -
> > -echo -n "SSH server is "
> > -if systemctl is-enabled ssh; then
> > -    SSHD_ENABLED="true"
> > -    systemctl disable --no-reload ssh
> > -fi
> > -
> > -echo "Removing keys ..."
> > -rm -v /etc/ssh/ssh_host_*_key*
> > -
> > -echo "Regenerating keys ..."
> > -dpkg-reconfigure openssh-server
> > -
> > -if test -n $SSHD_ENABLED; then
> > -    echo "Reenabling ssh server ..."
> > -    systemctl enable --no-reload ssh
> > -fi
> > -
> > -sync
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > deleted file mode 100644 index 6f12414239a3..000000000000
> > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > +++ /dev/null
> > @@ -1,17 +0,0 @@
> > -# This software is a part of ISAR.
> > -inherit dpkg-raw
> > -
> > -DESCRIPTION = "Systemd service to regenerate sshd keys"
> > -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > -DEBIAN_DEPENDS = "openssh-server, systemd"
> > -
> > -SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service \
> > -           file://sshd-regen-keys.sh"
> > -
> > -do_install[cleandirs] = "${D}/lib/systemd/system \
> > -                         ${D}/usr/sbin"
> > -do_install() {
> > -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd- regen-keys.sh"
> > -}
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> > file mode 100644 index 000000000000..9ce1d8d88300
> > --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > @@ -0,0 +1,14 @@
> > +# This software is a part of ISAR.
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Systemd service to regenerate sshd keys"
> > +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > +DEBIAN_DEPENDS = "openssh-server, systemd"
> > +
> > +SRC_URI = "file://postinst \
> > +           file://sshd-regen-keys.service"
> > +
> > +do_install() {
> > +    install -d -m 0755 "${D}/lib/systemd/system"
> > +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > +}
> > --
> > 2.26.3
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "isar-users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to isar-users+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.g
> > oogle.com%2Fd%2Fmsgid%2Fisar-users%2F20210330101722.10371-1-
> > henning.schild%2540siemens.com&amp;data=04%7C01%7Cfelix.moessbauer%4
> > 0siemens.com%7Ccf1624cf55db4c9c706708d8f36509a3%7C38ae3bcd95794fd4
> > addab42e1495d55a%7C1%7C0%7C637526962559188131%7CUnknown%7CTWF
> > pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> > Mn0%3D%7C1000&amp;sdata=bM6bgFd1Yq4Vo2tMGrR7GHzRWgSAQMB90vu
> > %2BHOa2eZ4%3D&amp;reserved=0.