From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:adf:f60b:: with SMTP id t11mr9043229wrp.269.1616677744884; Thu, 25 Mar 2021 06:09:04 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:6a89:: with SMTP id s9ls4305479wru.2.gmail; Thu, 25 Mar 2021 06:09:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUhcoq/HkV6KXd5bbrSf9XM3IXviJNvHm7LmmvC4cFK5OPpSpsTEqqzSehog3fI5h7TAx1 X-Received: by 2002:adf:eec9:: with SMTP id a9mr8937666wrp.252.1616677743933; Thu, 25 Mar 2021 06:09:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616677743; cv=none; d=google.com; s=arc-20160816; b=x+/849as5SYbtay4HejjMIH/Zelcc5homwyTK77HJ4QjbGiHbd1iKm8QJWZuM+870w nuYOQaXb7odksvhCgBA7y6A33tqJE3oujAiOp+BE9oZ//RrHx3tszIaZuq0MpFVF+tlU IItfQwbZB27SmSc0YcIkek/JgF1NjFxZqvHnWK3L5VvHpZeqDXuf/xfnYPRgirxOce/E ab2GSoowp2OYYQ7X0mYY8bmqRQh8meBcz5LTO9gu4sWoEHPk/Qi67s9GyZHNdBNR6UDM +jP9arFIFp361/w/zcPJYRvxZLtx5wlIQ9veE4xC2pM6aVJHK0lkaOSQ0YWHWV0NV8gj q6gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:mime-version:user-agent :date:message-id:cc:to:subject:from; bh=eacX96mZGE9P+U3hAiceGExhRJNyh65uQvrqzV2QrPw=; b=cCVybxLHYuyfvpyi+I54YGB/cJ9YUBfst1HgfJlVaFZq6YJV7rxrRWWPY2CfU1I729 YLL+1LsANnqAH256a9y7HJDcLpL08S4coEIwgB007T+T+ukkA4SWlfK9vVB8x4Qrejag K7VPpmjmTiNGYaoxKciEKekLg5oxmHlgPiXuEbqWenSs/PnO3jnmi4TnTq477AVCMs5v 4XcuAjyno18w2hOMmQIIpSj6PNF2yrioAzxBnmvWRLTT1ce3wJ1Bx6MKZHEjPDWDO+EP 4+NefhbNpnE0gW+URDbr6r6oMHBrPPYqgCspn+JeZFBHMnpI+Pcs7jc8XrdHlRBty8R+ UElQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id y12si202241wrw.3.2021.03.25.06.09.03 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Mar 2021 06:09:03 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12PD938v025961 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 25 Mar 2021 14:09:03 +0100 Received: from [139.22.38.170] ([139.22.38.170]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12PCs2f6016156; Thu, 25 Mar 2021 13:54:03 +0100 From: Jan Kiszka Subject: [PATCH] sshd-regen-keys: Improve service, make more robust To: isar-users Cc: Quirin Gylstorff , Henning Schild Message-ID: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> Date: Thu, 25 Mar 2021 13:54:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: uBVvBc4O8ovt From: Jan Kiszka This improves a number of things: - stop the service while regenerating keys, rather than disabling its auto-start - fix restart test condition - also check that /tmp is writable (better safe than sorry) - do not disabling the regen service if it was not successful Signed-off-by: Jan Kiszka --- This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh server if previously disabled". .../sshd-regen-keys/files/sshd-regen-keys.service | 2 +- .../sshd-regen-keys/files/sshd-regen-keys.sh | 14 ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} | 0 3 files changed, 9 insertions(+), 7 deletions(-) rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} (100%) diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c8..e7142e69 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -5,13 +5,13 @@ Conflicts=shutdown.target After=systemd-remount-fs.service Before=shutdown.target ssh.service ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp [Service] Type=oneshot RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index 910d879b..9b19f9d3 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@ -1,9 +1,9 @@ #!/usr/bin/env sh echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh +if systemctl is-active ssh; then + SSHD_ACTIVE="true" + systemctl stop ssh fi echo "Removing keys ..." @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key* echo "Regenerating keys ..." dpkg-reconfigure openssh-server -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh +if test -n "$SSHD_ACTIVE"; then + echo "Restarting ssh server ..." + systemctl start ssh fi +systemctl disable sshd-regen-keys.service + sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb similarity index 100% rename from meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb -- 2.26.2