From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7031876052419870720 X-Received: by 2002:a17:902:d34d:b0:143:c927:dc48 with SMTP id l13-20020a170902d34d00b00143c927dc48mr34206692plk.71.1637240368137; Thu, 18 Nov 2021 04:59:28 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6a00:a81:: with SMTP id b1ls1138133pfl.3.gmail; Thu, 18 Nov 2021 04:59:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJx96yHnCzVSDsu+7dWYRnKXk+qvVC17sNQNSP6ZZSGadxoPiptCg6eWSkGa6NYj4prTi6qE X-Received: by 2002:a63:354:: with SMTP id 81mr11034975pgd.364.1637240367398; Thu, 18 Nov 2021 04:59:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637240367; cv=none; d=google.com; s=arc-20160816; b=niW7cT7Njf3ceMWmC1xOGMp45kqhXLgIc1giqtioprwjTS1JaDhICV3jD99wP2UrJ/ 8ClDx0yAGu8jh9bM24M+3NnelMRtxVzzlTAVY8eqbtZFwgq5cFlonzLeU6oZbDaNP2bZ pVgWKwavfaPvy3R4SfTB+KJFyIZtV+rBg5RAs1VUfO2GSePZCVueFf7nLtAWxgcgZLsu P4He3wNf1Hkld1EckorLEx2k3iHidT/+HqXBoxVpqPTmQwT8hYQyMqABSrRWOd9Le3t0 OErwNn5/yaVK+o44/YfqnCZjUqU0zEKGklR7cxlTRoqbJJGMqBcVkwKU+yuhK++DSdam +4bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=wRBf/W18WlQzfzVJEdbMsLDeQM70IndYv28dPmtejmo=; b=DSFlcfd7XU6NPtW5620OwBf2vLCMQNxEdi/W+Fy3NkHWOTbWyTq6ITd61HJsdV8RgC U/5n69W8rWIzsCgwgn4U7yNHfTFIgZwtB6U9m64CW9Ji4HiVFFLMJECt/yG5JDZ2rVE5 uvibUTpybLIqiYje6Z8QDem67nZmAhWaJh7diAtcYGNPiGP7REmp/Cg2jxp4LsDHBt3R JNp09SI0s4jwVN6FeqlLFaAY3PUSti8ciua9FHIRVS3HYgJPNekxQAHphtiLQREu88Ud zll0i7+LjClG3ZM3vewsrCFd9/Xm2DI8jrdcL8XAp+FbQNPbBVUiPMkzNh+Cc3E7kjlV q9SQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id p1si241899pfo.1.2021.11.18.04.59.26 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Nov 2021 04:59:27 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 1AICxPWg019518 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 18 Nov 2021 13:59:25 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.80]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 1AICxPkR007374; Thu, 18 Nov 2021 13:59:25 +0100 Date: Thu, 18 Nov 2021 13:59:24 +0100 From: Henning Schild To: "Q. Gylstorff" Cc: , Subject: Re: [PATCH] sshd-regen-keys: Disable service after it run once Message-ID: <20211118135924.6fd0e2c1@md1za8fc.ad001.siemens.net> In-Reply-To: <20211118115025.182309-1-Quirin.Gylstorff@siemens.com> References: <20211118115025.182309-1-Quirin.Gylstorff@siemens.com> X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: Wk4B2kCGITQZ Am Thu, 18 Nov 2021 12:50:25 +0100 schrieb "Q. Gylstorff" : > From: Quirin Gylstorff > > sshd-regen-keys is executed every time the system boots. > This leads to new system ssh keys every boot. New keys on every boot should not happen! SSH-KEYGEN(1) -A For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, ... So yes you will see the service active/enabled/running but they keys should only be created on the first boot. If not please share your distro and version of ssh-keygen. (maybe it differs across versions) Henning > Revert to the behavior to before > commit d700bf83042c57efdc4f4721f56d078433ce6b1d sshd-regen-keys: > Improve service, make more robust > > and disable the service after it was executed. > > Signed-off-by: Quirin Gylstorff > --- > .../sshd-regen-keys/files/sshd-regen-keys.service | 1 > + .../{sshd-regen-keys_0.4.bb => sshd-regen-keys_0.5.bb} | 0 > 2 files changed, 1 insertion(+) > rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.4.bb > => sshd-regen-keys_0.5.bb} (100%) > > diff --git > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > index 5c2ccff7..b38e6edc 100644 --- > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > +++ > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > @@ -11,6 +11,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot > RemainAfterExit=yes ExecStart=/usr/bin/ssh-keygen -A > +ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > [Install] > WantedBy=sysinit.target > diff --git > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.5.bb > similarity index 100% rename from > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb rename to > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.5.bb