From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:adf:e6d0:: with SMTP id y16-v6mr2326738wrm.3.1539778360660;
        Wed, 17 Oct 2018 05:12:40 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:adf:f0d0:: with SMTP id x16-v6ls2684933wro.22.gmail; Wed, 17
 Oct 2018 05:12:40 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63nDmKHpFTpd+jErhbMwPJP6sdojhYWbKKtxDCG/u8J0Lcsi/kKzH/Ea7LijZQEzzzpfOWu
X-Received: by 2002:adf:f449:: with SMTP id f9-v6mr207110wrp.22.1539778360240;
        Wed, 17 Oct 2018 05:12:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539778360; cv=none;
        d=google.com; s=arc-20160816;
        b=PYs8QYNvCPoUyhSNS7P28Ja4UnxFOsH44Ht+j2XznbHSszd/wYBGSHHvE0QbaEfxDQ
         s+v/MAYdtWFv+WVx/1wqaXNS8cWt4FBSvlcFm/O/Od5wB6hoACODlEqPY3OKBnpL94MB
         dX2cf6QdACK1WfJEKA7CiDfD5l/DN82eMHPyJwen+cOqVc7WAKMiNDU6sgIOKn8hIHNO
         Y8NccyV3cU27VinysSUkwLF+iqaYWrzN11eWuEvQWE7TZj/ALZ8Lixkl4HHdcW39UQrp
         eOdc2dc+A6XLNHHUizYFyDC2RNC5kIRfKMBTHc5cSQA0tMcQ8jdOewRaQxfSI1kgPyWe
         ocZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:organization:from:references:cc:to
         :subject;
        bh=kuCrqP2bpVt6tQQLJTjw1tYhe3OhiDLppL62JmHrY24=;
        b=sGl8wQ+C3UT+AQYLv5XVDq/pkyaf5HBIUw6PY/Wcm3vuOH1TYJX0o8JlCdvlhFzf+1
         2Q4+3dXpe3GTeq4y4lYYyYGikYP6ofefR1XOu1Xbqe4L2LW/UQwj/3/KUnQDdNMKbb1E
         5uaK955uho32pAmCsSK986Oxojlhv6lFuPGa2KOhcdf2kNCgPyEs1U+CakG/WFiUf7jL
         mPxjAydZMqj+Gnxlb80c+CiDVZJTTXSaN3CHrvXBUtBYZt5H9lNUBDfCb0cOMCnUrezS
         FsGqsr/4TR6GlUeyJFG8Fo5amyHEXYfwwMZCYLPwgN63MMhwkI6HUplFnzcdjOKchZAB
         sJ/g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de
Return-Path: <mosipov@ilbers.de>
Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211])
        by gmr-mx.google.com with ESMTPS id 68-v6si395407wra.5.2018.10.17.05.12.40
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 Oct 2018 05:12:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de
Received: from [192.168.50.180] (nat-ppp-217.71.235.199-satnet-spb.ru [217.71.235.199] (may be forged))
	(authenticated bits=0)
	by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w9HCCZfc001636
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
	Wed, 17 Oct 2018 14:12:36 +0200
Subject: Re: [PATCH v4] meta: Add recipe to regenerate ssh host keys
To: Harald Seiler <hws@denx.de>, Henning Schild <henning.schild@siemens.com>
Cc: isar-users@googlegroups.com
References: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
 <b2acf3f531562e40e4e4a054400da929b0519552.camel@denx.de>
From: "Maxim Yu. Osipov" <mosipov@ilbers.de>
Organization: ilbers GmbH
Message-ID: <5a1aa08f-4c4c-111b-3bb0-1eb441a7bb7e@ilbers.de>
Date: Wed, 17 Oct 2018 15:12:30 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <b2acf3f531562e40e4e4a054400da929b0519552.camel@denx.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: 1x//w/qWFDz3

On 10/9/18 3:13 PM, Harald Seiler wrote:
> sshd-regen-keys is a systemd unit that will run
> at first boot and force sshd to generate new
> host keys.
> 
> This prevents all devices using the same keys.
> 
> Also adds sshd-regen-keys to qemuamd64-buster.conf
> to ensure CI coverage.

Applied to the 'next',

Thanks,
Maixm.

> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
> This version removes an unnecessary sudo in do_install
> 
>   meta-isar/conf/multiconfig/qemuamd64-buster.conf      |  2 ++
>   meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
>   .../sshd-regen-keys/files/sshd-regen-keys.service     | 19 +++++++++++++++++++
>   .../sshd-regen-keys/sshd-regen-keys_0.1.bb            | 14 ++++++++++++++
>   4 files changed, 39 insertions(+)
>   create mode 100644 meta/recipes-support/sshd-regen-keys/files/postinst
>   create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>   create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> 
> diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> index 059ea00..bd18fcc 100644
> --- a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> +++ b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
> @@ -11,6 +11,8 @@ IMAGE_TYPE ?= "wic-img"
>   WKS_FILE ?= "sdimage-efi"
>   IMAGER_INSTALL += "${GRUB_BOOTLOADER_INSTALL}"
>   
> +IMAGE_INSTALL += "sshd-regen-keys"
> +
>   QEMU_ARCH ?= "x86_64"
>   QEMU_MACHINE ?= "q35"
>   QEMU_CPU ?= ""
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
> new file mode 100644
> index 0000000..ae722a7
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> @@ -0,0 +1,4 @@
> +#!/bin/sh
> +set -e
> +
> +systemctl enable sshd-regen-keys.service
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> new file mode 100644
> index 0000000..3b8231f
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -0,0 +1,19 @@
> +[Unit]
> +Description=Regenerate sshd host keys
> +DefaultDependencies=no
> +Conflicts=shutdown.target
> +After=systemd-remount-fs.service
> +Before=shutdown.target sshd.service
> +ConditionPathIsReadWrite=/etc
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +Environment=DEBIAN_FRONTEND=noninteractive
> +ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
> +ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> +StandardOutput=syslog
> +StandardError=syslog
> +
> +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> new file mode 100644
> index 0000000..02e9e25
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -v -d -m 755 "${D}/lib/systemd/system"
> +    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +}
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov