From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a05:6512:922:: with SMTP id f2mr20935805lft.171.1619630774728; Wed, 28 Apr 2021 10:26:14 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac2:5f9a:: with SMTP id r26ls297276lfe.2.gmail; Wed, 28 Apr 2021 10:26:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW1IG9x6FLrK/4CtSVkU3kK4h3pyomVkfnOGQELU7jXRc0D0E+fYdblwIhhuQQ4apfiwLo X-Received: by 2002:a05:6512:358b:: with SMTP id m11mr21984385lfr.179.1619630773695; Wed, 28 Apr 2021 10:26:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619630773; cv=none; d=google.com; s=arc-20160816; b=UVnM7CE9zKeMT0SzrZZ20n6N25y4nuewRvEj4pBO7K48B1apyCk84asKtH8VX2aXa1 coMAwZkfMlhSsVrglL7AdqbzlknVAM3ELFs0B+xckp9N2V5G8v2OoCiBwWxGSmBpuEnf zuP1dfDnnYxpQy56iOuJd9i3xWtZHFqYIA5MKQj1Tdnw+EeU9F8w31shdAsyGlrCgyTl rS+CARw7h+RhbqJJHpIjBb8weOera/EBwDV39B5CsfDM13cuAsqthSGwZ3matnJxoGDK 8fyWkn+GMfVzYi1ugao6FfcdEblybzDlUAMHk5FL+hRh4wQj6ypkdNsSuco91TqRjJXA NXYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=O/XkltlZRxfNY34WeJNAQKPswbJOdPzWd8ms838skdU=; b=eu1xp2X6soih2H9OoH6mVfy9WLyX/JbgMV20M94axRohL5Ae9andA298bekzNz4uyz Vslxcq5rA79NPqONaB0KmbGDq8Akv4gz+A94DU5ptlWSP4vyNM0DpG6Wzaqu02ACS35X waQO36SqAHXpWDgv8SdlWLq2TzlGmg0vwOXcYaQ7twHKFfchHN9il5PNyzA2neD7On5D 0gqEVemQTG7WpefkJ7NW/JlQiHOyWpi+0XeVbxOkHCnjuoJ5ifPWG3Rde42OrfEbxkJl E3u5ayjg/mAhNYLlgRa4qaZxshR+6JsnSaqEI1pVT4JGV7UQZv8aAaJVayL7PcGbDwRs Y9ug== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id p18si30133lji.8.2021.04.28.10.26.13 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Apr 2021 10:26:13 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 13SHQCch009313 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Apr 2021 19:26:12 +0200 Received: from md1za8fc.ad001.siemens.net ([139.22.33.250]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 13SHMYAT029922; Wed, 28 Apr 2021 19:22:34 +0200 Date: Wed, 28 Apr 2021 19:22:33 +0200 From: Henning Schild To: "Moessbauer, Felix (T RDA IOT SES-DE)" Cc: isar-users , "Kiszka, Jan (T RDA IOT)" , Harald Seiler Subject: Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust Message-ID: <20210428192233.4a1209fa@md1za8fc.ad001.siemens.net> In-Reply-To: References: <20210330101722.10371-1-henning.schild@siemens.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: vySHr9MHo8Bm Am Wed, 28 Apr 2021 14:21:38 +0200 schrieb "Moessbauer, Felix (T RDA IOT SES-DE)" : > Hi, > > While this patch definitely improves the situation, there are still a > couple of issues: > > 1. Reinstalling: > When apt-get updating the package, the host's ssh-keys are removed. > IMO it would be better to create a backup in the pre-rm step and > restore that in postinst. An alternative would be, to remove the ssh > keys using ISAR in a post-processing step. Then no postinst script is > required (that's similar to how the sshd-keygen@.service in fedora > works). Good catch! I will try to make something up. Problem with a backup is that we do not want that backup on the first install, but with the pre-rm you suggested it might just work. The postprocess would be a clean way as well, but that would need to be conditional if the package is installed. Because the systemd units will not generate keys if missing and sshd will not come up. But i think that can be done and is better than the backup cycle. > 2. Systemd dependencies: > It has to run as early as possible and anyways before the > sshd-service. On some systems like fedora, there is already a > sshd-keygen@.service that takes care of re-generating the keys if > they are not present (as part of the openssh-server package). We > should conflict on that, or better auto-disable in case this service > is installed. I don't know if Debian plans to add something similar. I guess you mean that sshd-regen-keys.service needs to finish for sure before ssh@.service comes up. That seems to missing as you say, thanks! A systemd dep would be the way to go, we failed with enable/disable stuff before. > 3. Compatibility with upstream > If more distros accept the sshd-keygen service approach, we do not > want to diverge here. Maybe, it would be better to just port this > approach to Debian / ISAR and deploy images without pre-installed > ssh-keys. That in fact sound like the most promising way to go, but also the hardest. If debian would simply "generate if missing" and not "generate at install time" that would be it. I think they did that in init scripts before systemd became a thing. One more thing we discussed internally is "cloud-init". That solves the same problem and is packaged in debian. In fact it might address more that might be relevant for images that get distributed to many machines. But we also found that it is kind of heavy, pulling in python3 and libs. At the moment i have no clue how to proceed and will need to think about it. I would say that "apt-get update" is maybe not something that most Isar users want to use. We also have severe kernel update issues with our wic, where at least legacy is affected and kernel updates will not work. Not a nice situation ... but it takes the pressure out of this one a bit. Anyone feel free to discuss further to help out. regards, Henning > Best regards, > Felix > > > -----Original Message----- > > From: isar-users@googlegroups.com On > > Behalf Of [ext] Henning Schild > > Sent: Tuesday, March 30, 2021 12:17 PM > > To: isar-users > > Cc: Kiszka, Jan (T RDA IOT) ; Harald Seiler > > ; Schild, Henning (T RDA IOT SES-DE) > > > > Subject: [PATCH v2] sshd-regen-keys: Improve service, make more > > robust > > > > Switch to using "/usr/bin/ssh-keygen -A" instead of > > dpkg-reconfigure. With this we would generate new host keys every > > time the service starts and no keys exist. Removing the keys from > > openssh-server in a postinst makes it complete so that we really > > only generate on the first boot. > > > > This is easier to handle that reusing the debian package hooks for > > key generation. > > > > Signed-off-by: Henning Schild > > --- > > .../sshd-regen-keys/files/postinst | 2 ++ > > .../files/sshd-regen-keys.service | 4 +--- > > .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 > > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | > > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | > > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) > > delete mode 100644 > > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen- > > keys_0.3.bb create mode 100644 > > meta/recipes-support/sshd-regen-keys/sshd-regen- keys_0.4.bb > > > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst > > b/meta/recipes-support/sshd-regen-keys/files/postinst > > index ae722a7349a2..1c9b03e3e040 100644 > > --- a/meta/recipes-support/sshd-regen-keys/files/postinst > > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst > > @@ -1,4 +1,6 @@ > > #!/bin/sh > > set -e > > > > +rm /etc/ssh/ssh_host_*_key* > > + > > systemctl enable sshd-regen-keys.service diff --git a/meta/recipes- > > support/sshd-regen-keys/files/sshd-regen-keys.service > > b/meta/recipes- > > support/sshd-regen-keys/files/sshd-regen-keys.service index > > f50d34c820d8..af98d5e9e966 100644 --- > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > +++ > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] > > Type=oneshot RemainAfterExit=yes > > -Environment=DEBIAN_FRONTEND=noninteractive > > -ExecStart=/usr/sbin/sshd-regen-keys.sh > > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > > +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog > > StandardError=syslog > > > > diff --git > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > deleted file mode 100644 index 910d879ba51f..000000000000 > > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > +++ /dev/null > > @@ -1,20 +0,0 @@ > > -#!/usr/bin/env sh > > - > > -echo -n "SSH server is " > > -if systemctl is-enabled ssh; then > > - SSHD_ENABLED="true" > > - systemctl disable --no-reload ssh > > -fi > > - > > -echo "Removing keys ..." > > -rm -v /etc/ssh/ssh_host_*_key* > > - > > -echo "Regenerating keys ..." > > -dpkg-reconfigure openssh-server > > - > > -if test -n $SSHD_ENABLED; then > > - echo "Reenabling ssh server ..." > > - systemctl enable --no-reload ssh > > -fi > > - > > -sync > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > deleted file mode 100644 index 6f12414239a3..000000000000 > > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > +++ /dev/null > > @@ -1,17 +0,0 @@ > > -# This software is a part of ISAR. > > -inherit dpkg-raw > > - > > -DESCRIPTION = "Systemd service to regenerate sshd keys" > > -MAINTAINER = "isar-users " > > -DEBIAN_DEPENDS = "openssh-server, systemd" > > - > > -SRC_URI = "file://postinst \ > > - file://sshd-regen-keys.service \ > > - file://sshd-regen-keys.sh" > > - > > -do_install[cleandirs] = "${D}/lib/systemd/system \ > > - ${D}/usr/sbin" > > -do_install() { > > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" > > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" > > "${D}/usr/sbin/sshd- regen-keys.sh" > > -} > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new > > file mode 100644 index 000000000000..9ce1d8d88300 > > --- /dev/null > > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > @@ -0,0 +1,14 @@ > > +# This software is a part of ISAR. > > +inherit dpkg-raw > > + > > +DESCRIPTION = "Systemd service to regenerate sshd keys" > > +MAINTAINER = "isar-users " > > +DEBIAN_DEPENDS = "openssh-server, systemd" > > + > > +SRC_URI = "file://postinst \ > > + file://sshd-regen-keys.service" > > + > > +do_install() { > > + install -d -m 0755 "${D}/lib/systemd/system" > > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" > > +} > > -- > > 2.26.3 > > > > -- > > You received this message because you are subscribed to the Google > > Groups "isar-users" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to isar-users+unsubscribe@googlegroups.com. > > To view this discussion on the web visit > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.g > > oogle.com%2Fd%2Fmsgid%2Fisar-users%2F20210330101722.10371-1- > > henning.schild%2540siemens.com&data=04%7C01%7Cfelix.moessbauer%4 > > 0siemens.com%7Ccf1624cf55db4c9c706708d8f36509a3%7C38ae3bcd95794fd4 > > addab42e1495d55a%7C1%7C0%7C637526962559188131%7CUnknown%7CTWF > > pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 > > Mn0%3D%7C1000&sdata=bM6bgFd1Yq4Vo2tMGrR7GHzRWgSAQMB90vu > > %2BHOa2eZ4%3D&reserved=0.