From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6605190724631658496 X-Received: by 2002:a50:89fc:: with SMTP id h57-v6mr1859934edh.4.1538469826496; Tue, 02 Oct 2018 01:43:46 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:260d:: with SMTP id h13-v6ls673307ejc.16.gmail; Tue, 02 Oct 2018 01:43:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV63vUcjAd8h+vZePo5wMyCsy/vWqh/XNx8FKK0c1GtbCRk/Fj56gQCAmJL8ttUAGqBJxbOa1 X-Received: by 2002:a17:906:790:: with SMTP id l16-v6mr2146674ejc.0.1538469826138; Tue, 02 Oct 2018 01:43:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538469826; cv=none; d=google.com; s=arc-20160816; b=nJQgeDNCLos6HSg+vodmLOQ+QMI1lHnBjEl4t4fBKIzsR7P1wr//27lWCCTAJ60Pj5 ftu6X9aytO9G9z5ebF6zsG6f7EnF6qL/5IRrv8SuWZMXwuXV5K5+x4sn8IAEAf/h0ik5 AKL/vkeLS/0CwmGXOdTDxcWnP8YhgQoKwaQWGtUyGvv6TMcy7T6PedBr8JhFU+h1dOEK vh8xOkC99LazFVlkgpcNpjKg168LiK+fegPU4wOVxYL9SYmxCQiR/9eEtsRCTs2rEz6K s5x9ppSiDX77RH7PtnZFG1uMgWycVmOlBQYIfmDe6sdbjxBuctKR4Mewoey6WWc87tz3 8Zpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:date:cc:to:from:subject:message-id; bh=yu2XAtPTsCeVHaecG7q9iL1qNGczM/8KK0Tg9up4X/Y=; b=GfCHiJ/Mh9djkRdZob50pW+5kFp4w02+wgE0CGdGung2hYMuZbJmCqIj8/owGTIu8L rWVaO+7oTTivkK4nBv/XxpcCTmGSW5GDYI2LkzO2e2CSNCwZKH+VrXqfjK7N7Kixz/i4 0H8LOp0XoMdv1DoZ3Y0sBm4Rhu5bwFYGEfDq2uOGSv7sMXZPNhcabDEv9nU82y4rhsiQ zLDPiIP8RHdbx3yJ2lv31lPEvQnN/ptV2C11Dq2lildRN8mf5EZSvQAUhMIENlaQluy8 lKjN08R5Z/A5hVtRk5VJ6NyV1maBTQKxk56zLuD8xL9LoLENns4NDxwdalx/qvBigmGw XfvA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9]) by gmr-mx.google.com with ESMTPS id g5-v6si479617ejb.0.2018.10.02.01.43.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 01:43:46 -0700 (PDT) Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) client-ip=212.18.0.9; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 42PXk95xxlz1qyLJ; Tue, 2 Oct 2018 10:43:45 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 42PXk95pjKz1qqkx; Tue, 2 Oct 2018 10:43:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id 3qYWkTX4Z7y3; Tue, 2 Oct 2018 10:43:44 +0200 (CEST) X-Auth-Info: yGFV5MQYT5S+U3mKzWRb9OCWdS2RRSao+NVMo5bjLKs= Received: from sandvich (p5B04C095.dip0.t-ipconnect.de [91.4.192.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 2 Oct 2018 10:43:44 +0200 (CEST) Message-ID: <4ee60044614a050c4ad7e9996f8c051391885bc7.camel@denx.de> Subject: [PATCH v2] meta: Add recipe to regenerate ssh host keys From: Harald Seiler To: Henning Schild Cc: isar-users@googlegroups.com Date: Tue, 02 Oct 2018 10:43:43 +0200 In-Reply-To: <20180926103138.1241c7f1@md1pvb1c.ad001.siemens.net> References: <20180926103138.1241c7f1@md1pvb1c.ad001.siemens.net> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TUID: XhtdVi9Crj+x sshd-regen-keys is a systemd unit that will run at first boot and force sshd to generate new host keys. This prevents all devices using the same keys. Signed-off-by: Harald Seiler --- meta/recipes-support/sshd-regen-keys/files/postinst | 4 ++++ .../sshd-regen-keys/files/sshd-regen-keys.service | 19 +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys_0.1.bb | 15 +++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 meta/recipes-support/sshd-regen-keys/files/postinst create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst new file mode 100644 index 0000000..ae722a7 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -0,0 +1,4 @@ +#!/bin/sh +set -e + +systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service new file mode 100644 index 0000000..3b8231f --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -0,0 +1,19 @@ +[Unit] +Description=Regenerate sshd host keys +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-remount-fs.service +Before=shutdown.target sshd.service +ConditionPathIsReadWrite=/etc + +[Service] +Type=oneshot +RemainAfterExit=yes +Environment=DEBIAN_FRONTEND=noninteractive +ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server" +ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=sysinit.target diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb new file mode 100644 index 0000000..06e0cc4 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb @@ -0,0 +1,15 @@ +# This software is a part of ISAR. + +DESCRIPTION = "Systemd service to regenerate sshd keys" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "openssh-server, systemd" + +SRC_URI = "file://postinst \ + file://sshd-regen-keys.service" + +inherit dpkg-raw + +do_install() { + sudo install -v -d -m 755 "${D}/lib/systemd/system" + sudo install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" +}