From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a63:2a97:: with SMTP id q145mr10875283pgq.217.1637233808280; Thu, 18 Nov 2021 03:10:08 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a63:e004:: with SMTP id e4ls749305pgh.4.gmail; Thu, 18 Nov 2021 03:10:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJz/Zh2tbwLkdj3/wzgHFt1h93+u0sRWOSTUFsF7BTWv1oheQR6kXhMRVTIhXY1UJrzbzuTz X-Received: by 2002:a63:e444:: with SMTP id i4mr10591924pgk.474.1637233807504; Thu, 18 Nov 2021 03:10:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637233807; cv=none; d=google.com; s=arc-20160816; b=zluCI92DxRzbWlbpHUQ7h+6xlcnkea6k8IigPdeIGtNkKweAol+udn9NLZa3CaSivI slK02zkW3vwBv8TNrpOQE+O0CarEis2YIVGV/kbxKSZ9Pa6nmOoF83niGxwduiC70t4E uv2nsy88YiAAP8TlUdeR4UmuSI7uT2FoPop7K53UE3gf1KS1F1mQLiRQkiTd47HDXZGy 7bhEwHAM2PQRoovHVzy5+AGmvVwEo446xRB0VjUroPD5lyW9Ai6AJLGs6HcQIKcGCp7B sccrw8NshhtN1lPIo8NrQuNU8X1rshfL27YybAkt7D29fl3eS4z/k3qYOAHIjnlWsCO/ t4YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:organization:from:references:cc:to :subject; bh=vyJ84JLw2rohtpiPGg7FGgdGlxHW1wf8nKjNpEn3zcw=; b=Vbj0H0yQMa1dt2rszDPDonwCM0/mYWl0RSM336XMFI0coatlGeRTHranP+z6i3+lx7 vog/C/e8I6ynGNr0/TTm1/MLLvHO6msSbqHfKSMn3GqHOlMfs8TYd41/bAZOF4ABGKQ4 Tb1JFT7F669YNzEJM//vVBvkihVy3ckW1/+QpVKpL0ODz09AoodbnMvFJaCYex7iG5Vs cxCrHSJd+qhjonV+FTLB66KNhJy3xyCQ4hLBcbLA+e50wCGrddcfdwr8ikYss7Gr8vrP 2DRXpb/JwuqZ1j19ibNGWqdwNU0sWHR4bK9LIjcpvHLh+bRyLpOdTl9O4RnZLao2Qm6C 8kEQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id t69si185822pgc.4.2021.11.18.03.10.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Nov 2021 03:10:07 -0800 (PST) Received-SPF: pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 1AIBA4Xk014462 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Nov 2021 12:10:04 +0100 Received: from [139.22.45.143] ([139.22.45.143]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 1AIBA40f008092; Thu, 18 Nov 2021 12:10:04 +0100 Subject: Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust To: "[ext] Henning Schild" , isar-users Cc: Jan Kiszka , Harald Seiler References: <20210330101722.10371-1-henning.schild@siemens.com> From: Gylstorff Quirin Organization: Siemens Message-ID: <3158fbe1-da72-c39c-e14a-b667d3e59845@siemens.com> Date: Thu, 18 Nov 2021 12:10:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <20210330101722.10371-1-henning.schild@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: fmh2iJ5WGkIM On 3/30/21 12:17 PM, [ext] Henning Schild wrote: > Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. > With this we would generate new host keys every time the service starts > and no keys exist. Removing the keys from openssh-server in a postinst > makes it complete so that we really only generate on the first boot. > > This is easier to handle that reusing the debian package hooks for key > generation. > > Signed-off-by: Henning Schild > --- > .../sshd-regen-keys/files/postinst | 2 ++ > .../files/sshd-regen-keys.service | 4 +--- > .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- > .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- > .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ > 5 files changed, 17 insertions(+), 40 deletions(-) > delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst > index ae722a7349a2..1c9b03e3e040 100644 > --- a/meta/recipes-support/sshd-regen-keys/files/postinst > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst > @@ -1,4 +1,6 @@ > #!/bin/sh > set -e > > +rm /etc/ssh/ssh_host_*_key* > + > systemctl enable sshd-regen-keys.service > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > index f50d34c820d8..af98d5e9e966 100644 > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc > [Service] > Type=oneshot > RemainAfterExit=yes > -Environment=DEBIAN_FRONTEND=noninteractive > -ExecStart=/usr/sbin/sshd-regen-keys.sh > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service Is it intended that it now runs on every boot? Quirin > +ExecStart=/usr/bin/ssh-keygen -A > StandardOutput=syslog > StandardError=syslog > > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > deleted file mode 100644 > index 910d879ba51f..000000000000 > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > +++ /dev/null > @@ -1,20 +0,0 @@ > -#!/usr/bin/env sh > - > -echo -n "SSH server is " > -if systemctl is-enabled ssh; then > - SSHD_ENABLED="true" > - systemctl disable --no-reload ssh > -fi > - > -echo "Removing keys ..." > -rm -v /etc/ssh/ssh_host_*_key* > - > -echo "Regenerating keys ..." > -dpkg-reconfigure openssh-server > - > -if test -n $SSHD_ENABLED; then > - echo "Reenabling ssh server ..." > - systemctl enable --no-reload ssh > -fi > - > -sync > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > deleted file mode 100644 > index 6f12414239a3..000000000000 > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > +++ /dev/null > @@ -1,17 +0,0 @@ > -# This software is a part of ISAR. > -inherit dpkg-raw > - > -DESCRIPTION = "Systemd service to regenerate sshd keys" > -MAINTAINER = "isar-users " > -DEBIAN_DEPENDS = "openssh-server, systemd" > - > -SRC_URI = "file://postinst \ > - file://sshd-regen-keys.service \ > - file://sshd-regen-keys.sh" > - > -do_install[cleandirs] = "${D}/lib/systemd/system \ > - ${D}/usr/sbin" > -do_install() { > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" > -} > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > new file mode 100644 > index 000000000000..9ce1d8d88300 > --- /dev/null > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > @@ -0,0 +1,14 @@ > +# This software is a part of ISAR. > +inherit dpkg-raw > + > +DESCRIPTION = "Systemd service to regenerate sshd keys" > +MAINTAINER = "isar-users " > +DEBIAN_DEPENDS = "openssh-server, systemd" > + > +SRC_URI = "file://postinst \ > + file://sshd-regen-keys.service" > + > +do_install() { > + install -d -m 0755 "${D}/lib/systemd/system" > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" > +} >