From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a05:6e02:1546:: with SMTP id j6mr16094547ilu.223.1637240136381; Thu, 18 Nov 2021 04:55:36 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6638:3044:: with SMTP id u4ls411802jak.2.gmail; Thu, 18 Nov 2021 04:55:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJzf9q1ONMh1h0SgW4frZQVv4EsYjhw6joWnW03R8esSwuoL7/Tp2wPliT4H9JA2ssgH2j8C X-Received: by 2002:a05:6638:d0e:: with SMTP id q14mr20445586jaj.12.1637240135904; Thu, 18 Nov 2021 04:55:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637240135; cv=none; d=google.com; s=arc-20160816; b=iZziu+z1U8NMBfQKC1YBpLMNZ0mB+aACYHj0hRrHyG9HLaK04tV2vMBohpWZyjHmSn HA7H6vDvy6pc5UWYrLX9yMb9e8uhiVth8f8qCt+dPKfCishHxvi+1WMwVG6TlC3ak8rc oZdTgnvnde3QJH/v2jguO2s1IrPGVi1r4eHknECqxhbXXmqa0gS0PpIi8qdXP4TIzPwd cA1G1r+gWFdlnLP7M4CtTfaOgKCXQFIPTp50u3subYT6PjMVVxb9h5nKKcMRuDs9J8xC fgWy7MplUO7aK6AYqKbowuxb4decUe6eKOJNg8efDPtJBH+AGA78f6cO9jZXk2bwe5n7 gt8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=g4VWrKkWu1AJnsH9fRoL1JVkr5A85sAMKx2cMxCUSyA=; b=H07gomJJP42Gm9EejVX3Mr11OGWM/gNfz/ukJvIEghZ+abhI5mOGzJ26ZgQ+ECmu1l TPzDg6KDnEXa8yi2r9iRlvaNHO0QbaB97MJD5zV/3I42GaMFhLjOQCU2DjNUM21s/0tM hm6XSXPy310xtctYd8d3KL5FcaXNFGI+cLMRC5AMwqDWEaQmgzVBaMfl3yssgpiZmCTf Xxq4Yek0RhxOzO5uBkodPQ3X/SJww2PZmfHs6Hem4KpM8Y9JIIfRR4pH9IfbP7tSfoe4 30lCnlKYrlBmiIKXGbZT3e6A9MEXPHyQYXV5gVROzyhfDdl+vs+mpMRZqsx0QOLwX+lO pTAA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id j8si229168ila.1.2021.11.18.04.55.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Nov 2021 04:55:35 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1AICtXVG009219 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Nov 2021 13:55:33 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.80]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1AICtXd9007495; Thu, 18 Nov 2021 13:55:33 +0100 Date: Thu, 18 Nov 2021 13:55:32 +0100 From: Henning Schild To: Gylstorff Quirin Cc: isar-users , Jan Kiszka , Harald Seiler Subject: Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust Message-ID: <20211118135532.6a7e842d@md1za8fc.ad001.siemens.net> In-Reply-To: <3158fbe1-da72-c39c-e14a-b667d3e59845@siemens.com> References: <20210330101722.10371-1-henning.schild@siemens.com> <3158fbe1-da72-c39c-e14a-b667d3e59845@siemens.com> X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: 8HDAuBDRsdYD Am Thu, 18 Nov 2021 12:10:04 +0100 schrieb Gylstorff Quirin : > On 3/30/21 12:17 PM, [ext] Henning Schild wrote: > > Switch to using "/usr/bin/ssh-keygen -A" instead of > > dpkg-reconfigure. With this we would generate new host keys every > > time the service starts and no keys exist. Removing the keys from > > openssh-server in a postinst makes it complete so that we really > > only generate on the first boot. > > > > This is easier to handle that reusing the debian package hooks for > > key generation. > > > > Signed-off-by: Henning Schild > > --- > > .../sshd-regen-keys/files/postinst | 2 ++ > > .../files/sshd-regen-keys.service | 4 +--- > > .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 > > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | > > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | > > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) > > delete mode 100644 > > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > delete mode 100644 > > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create > > mode 100644 > > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst > > b/meta/recipes-support/sshd-regen-keys/files/postinst index > > ae722a7349a2..1c9b03e3e040 100644 --- > > a/meta/recipes-support/sshd-regen-keys/files/postinst +++ > > b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 > > @@ #!/bin/sh > > set -e > > > > +rm /etc/ssh/ssh_host_*_key* > > + > > systemctl enable sshd-regen-keys.service > > diff --git > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > index f50d34c820d8..af98d5e9e966 100644 --- > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > +++ > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] > > Type=oneshot RemainAfterExit=yes > > -Environment=DEBIAN_FRONTEND=noninteractive > > -ExecStart=/usr/sbin/sshd-regen-keys.sh > > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > > Is it intended that it now runs on every boot? Yes. But only the first one will really do something, the others will end up as noop. Henning > Quirin > > > +ExecStart=/usr/bin/ssh-keygen -A > > StandardOutput=syslog > > StandardError=syslog > > > > diff --git > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > > deleted file mode 100644 index 910d879ba51f..000000000000 --- > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ > > /dev/null @@ -1,20 +0,0 @@ > > -#!/usr/bin/env sh > > - > > -echo -n "SSH server is " > > -if systemctl is-enabled ssh; then > > - SSHD_ENABLED="true" > > - systemctl disable --no-reload ssh > > -fi > > - > > -echo "Removing keys ..." > > -rm -v /etc/ssh/ssh_host_*_key* > > - > > -echo "Regenerating keys ..." > > -dpkg-reconfigure openssh-server > > - > > -if test -n $SSHD_ENABLED; then > > - echo "Reenabling ssh server ..." > > - systemctl enable --no-reload ssh > > -fi > > - > > -sync > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > > deleted file mode 100644 index 6f12414239a3..000000000000 --- > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ > > /dev/null @@ -1,17 +0,0 @@ > > -# This software is a part of ISAR. > > -inherit dpkg-raw > > - > > -DESCRIPTION = "Systemd service to regenerate sshd keys" > > -MAINTAINER = "isar-users " > > -DEBIAN_DEPENDS = "openssh-server, systemd" > > - > > -SRC_URI = "file://postinst \ > > - file://sshd-regen-keys.service \ > > - file://sshd-regen-keys.sh" > > - > > -do_install[cleandirs] = "${D}/lib/systemd/system \ > > - ${D}/usr/sbin" > > -do_install() { > > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" > > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" > > "${D}/usr/sbin/sshd-regen-keys.sh" -} > > diff --git > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new > > file mode 100644 index 000000000000..9ce1d8d88300 --- /dev/null > > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > @@ -0,0 +1,14 @@ > > +# This software is a part of ISAR. > > +inherit dpkg-raw > > + > > +DESCRIPTION = "Systemd service to regenerate sshd keys" > > +MAINTAINER = "isar-users " > > +DEBIAN_DEPENDS = "openssh-server, systemd" > > + > > +SRC_URI = "file://postinst \ > > + file://sshd-regen-keys.service" > > + > > +do_install() { > > + install -d -m 0755 "${D}/lib/systemd/system" > > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" > > "${D}/lib/systemd/system/sshd-regen-keys.service" +} > >