[PATCH] sshd-regen-keys: Improve service, make more robust

[PATCH] sshd-regen-keys: Improve service, make more robust

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This improves a number of things:

 - stop the service while regenerating keys, rather than disabling its
   auto-start
 - fix restart test condition
 - also check that /tmp is writable (better safe than sorry)
 - do not disabling the regen service if it was not successful

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh server if previously disabled".

 .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
 .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14 ++++++++------
 ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} |  0
 3 files changed, 9 insertions(+), 7 deletions(-)
 rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} (100%)

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index f50d34c8..e7142e69 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -5,13 +5,13 @@ Conflicts=shutdown.target
 After=systemd-remount-fs.service
 Before=shutdown.target ssh.service
 ConditionPathIsReadWrite=/etc
+ConditionPathIsReadWrite=/tmp
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
 ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
 
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
index 910d879b..9b19f9d3 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
 echo -n "SSH server is "
-if systemctl is-enabled ssh; then
-    SSHD_ENABLED="true"
-    systemctl disable --no-reload ssh
+if systemctl is-active ssh; then
+    SSHD_ACTIVE="true"
+    systemctl stop ssh
 fi
 
 echo "Removing keys ..."
@@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
 echo "Regenerating keys ..."
 dpkg-reconfigure openssh-server
 
-if test -n $SSHD_ENABLED; then
-    echo "Reenabling ssh server ..."
-    systemctl enable --no-reload ssh
+if test -n "$SSHD_ACTIVE"; then
+    echo "Restarting ssh server ..."
+    systemctl start ssh
 fi
 
+systemctl disable sshd-regen-keys.service
+
 sync
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
similarity index 100%
rename from meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
rename to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
-- 
2.26.2

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

I am beginning to think we should fix that upstream. If the upstream
service file would generate the keys if missing ... all isar would need
to do is remove the files. Either with a package hook or with a
image-postprocess

Am Thu, 25 Mar 2021 13:54:02 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> This improves a number of things:
> 
>  - stop the service while regenerating keys, rather than disabling its
>    auto-start

Not sure this is going to work. There is this "Before=ssh.service"
which i would expect makes sure it should never end up being
"is-active". And that dpkg-reconfigure also plays with is-active ...
/var/lib/dpkg/info/openssh-server.postinst

The idea was to reuse the key generation code from that postinst, but
the construct we need to build to get that to work seems to be getting
out of hand and too complicated. In fact it is systemd-only, which
could be an issue for some.

Maybe running after ssh
- remove
- "create with own code"
  - "copy those few ssh-keygen lines"
  - or "source openssh-server.postinst && create_keys"
- killall -HUP sshd (systemctl reload ssh)
might turn out to be the simpler and easier to maintain version.

For sure Harald should be involved, did add him to Cc.

Henning

>  - fix restart test condition
>  - also check that /tmp is writable (better safe than sorry)
>  - do not disabling the regen service if it was not successful
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> 
> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
> server if previously disabled".
> 
>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} |  0
>  3 files changed, 9 insertions(+), 7 deletions(-)
>  rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb
> => sshd-regen-keys_0.4.bb} (100%)
> 
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c8..e7142e69 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
> After=systemd-remount-fs.service Before=shutdown.target ssh.service
> ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp 
>  [Service]
>  Type=oneshot
>  RemainAfterExit=yes
>  Environment=DEBIAN_FRONTEND=noninteractive
>  ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>  StandardOutput=syslog
>  StandardError=syslog
>  
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index
> 910d879b..9b19f9d3 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@
> -1,9 +1,9 @@ #!/usr/bin/env sh 
>  echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> +if systemctl is-active ssh; then
> +    SSHD_ACTIVE="true"
> +    systemctl stop ssh
>  fi
>  
>  echo "Removing keys ..."
> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
>  echo "Regenerating keys ..."
>  dpkg-reconfigure openssh-server
>  
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> +if test -n "$SSHD_ACTIVE"; then
> +    echo "Restarting ssh server ..."
> +    systemctl start ssh
>  fi
>  
> +systemctl disable sshd-regen-keys.service
> +
>  sync
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> similarity index 100% rename from
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Jan Kiszka]

On 25.03.21 15:30, Henning Schild wrote:
> I am beginning to think we should fix that upstream. If the upstream
> service file would generate the keys if missing ... all isar would need
> to do is remove the files. Either with a package hook or with a
> image-postprocess
> 
> Am Thu, 25 Mar 2021 13:54:02 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> This improves a number of things:
>>
>>  - stop the service while regenerating keys, rather than disabling its
>>    auto-start
> 
> Not sure this is going to work. There is this "Before=ssh.service"
> which i would expect makes sure it should never end up being
> "is-active". And that dpkg-reconfigure also plays with is-active ...
> /var/lib/dpkg/info/openssh-server.postinst
> 
> The idea was to reuse the key generation code from that postinst, but
> the construct we need to build to get that to work seems to be getting
> out of hand and too complicated. In fact it is systemd-only, which
> could be an issue for some.
> 
> Maybe running after ssh
> - remove
> - "create with own code"
>   - "copy those few ssh-keygen lines"
>   - or "source openssh-server.postinst && create_keys"
> - killall -HUP sshd (systemctl reload ssh)
> might turn out to be the simpler and easier to maintain version.
> 
> For sure Harald should be involved, did add him to Cc.
> 

I don't mind any simpler solution. It need to be robust as well, that's
all. The one we have so far once again fell apart today and costed me
hours to understand and resolve (because it was slow to reproduce).

Jan

> Henning
> 
>>  - fix restart test condition
>>  - also check that /tmp is writable (better safe than sorry)
>>  - do not disabling the regen service if it was not successful
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>
>> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
>> server if previously disabled".
>>
>>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
>>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
>> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} |  0
>>  3 files changed, 9 insertions(+), 7 deletions(-)
>>  rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb
>> => sshd-regen-keys_0.4.bb} (100%)
>>
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> index f50d34c8..e7142e69 100644 ---
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> +++
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
>> After=systemd-remount-fs.service Before=shutdown.target ssh.service
>> ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp 
>>  [Service]
>>  Type=oneshot
>>  RemainAfterExit=yes
>>  Environment=DEBIAN_FRONTEND=noninteractive
>>  ExecStart=/usr/sbin/sshd-regen-keys.sh
>> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>>  StandardOutput=syslog
>>  StandardError=syslog
>>  
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index
>> 910d879b..9b19f9d3 100644 ---
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@
>> -1,9 +1,9 @@ #!/usr/bin/env sh 
>>  echo -n "SSH server is "
>> -if systemctl is-enabled ssh; then
>> -    SSHD_ENABLED="true"
>> -    systemctl disable --no-reload ssh
>> +if systemctl is-active ssh; then
>> +    SSHD_ACTIVE="true"
>> +    systemctl stop ssh
>>  fi
>>  
>>  echo "Removing keys ..."
>> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
>>  echo "Regenerating keys ..."
>>  dpkg-reconfigure openssh-server
>>  
>> -if test -n $SSHD_ENABLED; then
>> -    echo "Reenabling ssh server ..."
>> -    systemctl enable --no-reload ssh
>> +if test -n "$SSHD_ACTIVE"; then
>> +    echo "Restarting ssh server ..."
>> +    systemctl start ssh
>>  fi
>>  
>> +systemctl disable sshd-regen-keys.service
>> +
>>  sync
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
>> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
>> similarity index 100% rename from
>> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to
>> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

Am Thu, 25 Mar 2021 19:53:46 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 25.03.21 15:30, Henning Schild wrote:
> > I am beginning to think we should fix that upstream. If the upstream
> > service file would generate the keys if missing ... all isar would
> > need to do is remove the files. Either with a package hook or with a
> > image-postprocess
> > 
> > Am Thu, 25 Mar 2021 13:54:02 +0100
> > schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> >   
> >> From: Jan Kiszka <jan.kiszka@siemens.com>
> >>
> >> This improves a number of things:
> >>
> >>  - stop the service while regenerating keys, rather than disabling
> >> its auto-start  
> > 
> > Not sure this is going to work. There is this "Before=ssh.service"
> > which i would expect makes sure it should never end up being
> > "is-active". And that dpkg-reconfigure also plays with is-active ...
> > /var/lib/dpkg/info/openssh-server.postinst
> > 
> > The idea was to reuse the key generation code from that postinst,
> > but the construct we need to build to get that to work seems to be
> > getting out of hand and too complicated. In fact it is
> > systemd-only, which could be an issue for some.
> > 
> > Maybe running after ssh
> > - remove
> > - "create with own code"
> >   - "copy those few ssh-keygen lines"
> >   - or "source openssh-server.postinst && create_keys"
> > - killall -HUP sshd (systemctl reload ssh)
> > might turn out to be the simpler and easier to maintain version.
> > 
> > For sure Harald should be involved, did add him to Cc.
> >   
> 
> I don't mind any simpler solution. It need to be robust as well,
> that's all. The one we have so far once again fell apart today and
> costed me hours to understand and resolve (because it was slow to
> reproduce).

What i proposed should hopefully be more robust and simpler, but i have
no time to implement and test it.

What could be even simpler

/etc/systemd/system/sshd.service.d/generate-missing-keys.conf
 [Service]
 ExecStartPre=
 ExecStartPre=/usr/bin/ssh-keygen -A
 ExecStartPre=/usr/sbin/sshd -t

DEBIAN_DEPENDS="openssh-server"

postinst
 rm -v /etc/ssh/ssh_host_*_key*

That ExecStartPre is what seems to be missing in the service file from
debian because they seem to assume they fully deal with keys at
installation time and never at runtime.
Unfortunately we need 3 lines because we need to prepend before the
"sshd -t". First to "overwrite", second "our content", third "content
from original"

Tried that manually on a system, with the systemd snippet you get new
keys every time the exisiting ones go missing. 

regards,
Henning

> 
> Jan
> 
> > Henning
> >   
> >>  - fix restart test condition
> >>  - also check that /tmp is writable (better safe than sorry)
> >>  - do not disabling the regen service if it was not successful
> >>
> >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> >> ---
> >>
> >> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
> >> server if previously disabled".
> >>
> >>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
> >>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
> >> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb}
> >> |  0 3 files changed, 9 insertions(+), 7 deletions(-)
> >>  rename
> >> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb =>
> >> sshd-regen-keys_0.4.bb} (100%)  
> >>
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> index f50d34c8..e7142e69 100644 ---
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> +++
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
> >> After=systemd-remount-fs.service Before=shutdown.target ssh.service
> >> ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp 
> >>  [Service]
> >>  Type=oneshot
> >>  RemainAfterExit=yes
> >>  Environment=DEBIAN_FRONTEND=noninteractive
> >>  ExecStart=/usr/sbin/sshd-regen-keys.sh
> >> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> >>  StandardOutput=syslog
> >>  StandardError=syslog
> >>  
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >> index 910d879b..9b19f9d3 100644 ---
> >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@
> >> -1,9 +1,9 @@ #!/usr/bin/env sh 
> >>  echo -n "SSH server is "
> >> -if systemctl is-enabled ssh; then
> >> -    SSHD_ENABLED="true"
> >> -    systemctl disable --no-reload ssh
> >> +if systemctl is-active ssh; then
> >> +    SSHD_ACTIVE="true"
> >> +    systemctl stop ssh
> >>  fi
> >>  
> >>  echo "Removing keys ..."
> >> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
> >>  echo "Regenerating keys ..."
> >>  dpkg-reconfigure openssh-server
> >>  
> >> -if test -n $SSHD_ENABLED; then
> >> -    echo "Reenabling ssh server ..."
> >> -    systemctl enable --no-reload ssh
> >> +if test -n "$SSHD_ACTIVE"; then
> >> +    echo "Restarting ssh server ..."
> >> +    systemctl start ssh
> >>  fi
> >>  
> >> +systemctl disable sshd-regen-keys.service
> >> +
> >>  sync
> >> diff --git
> >> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> >> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> >> similarity index 100% rename from
> >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename
> >> to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb  
> >   
> 

[PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
With this we would generate new host keys every time the service starts
and no keys exist. Removing the keys from openssh-server in a postinst
makes it complete so that we really only generate on the first boot.

This is easier to handle that reusing the debian package hooks for key
generation.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 .../sshd-regen-keys/files/postinst            |  2 ++
 .../files/sshd-regen-keys.service             |  4 +---
 .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20 -------------------
 .../sshd-regen-keys/sshd-regen-keys_0.3.bb    | 17 ----------------
 .../sshd-regen-keys/sshd-regen-keys_0.4.bb    | 14 +++++++++++++
 5 files changed, 17 insertions(+), 40 deletions(-)
 delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
 delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
 create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb

diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
index ae722a7349a2..1c9b03e3e040 100644
--- a/meta/recipes-support/sshd-regen-keys/files/postinst
+++ b/meta/recipes-support/sshd-regen-keys/files/postinst
@@ -1,4 +1,6 @@
 #!/bin/sh
 set -e
 
+rm /etc/ssh/ssh_host_*_key*
+
 systemctl enable sshd-regen-keys.service
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index f50d34c820d8..af98d5e9e966 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
+ExecStart=/usr/bin/ssh-keygen -A
 StandardOutput=syslog
 StandardError=syslog
 
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
deleted file mode 100644
index 910d879ba51f..000000000000
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env sh
-
-echo -n "SSH server is "
-if systemctl is-enabled ssh; then
-    SSHD_ENABLED="true"
-    systemctl disable --no-reload ssh
-fi
-
-echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
-
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
-
-if test -n $SSHD_ENABLED; then
-    echo "Reenabling ssh server ..."
-    systemctl enable --no-reload ssh
-fi
-
-sync
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
deleted file mode 100644
index 6f12414239a3..000000000000
--- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-# This software is a part of ISAR.
-inherit dpkg-raw
-
-DESCRIPTION = "Systemd service to regenerate sshd keys"
-MAINTAINER = "isar-users <isar-users@googlegroups.com>"
-DEBIAN_DEPENDS = "openssh-server, systemd"
-
-SRC_URI = "file://postinst \
-           file://sshd-regen-keys.service \
-           file://sshd-regen-keys.sh"
-
-do_install[cleandirs] = "${D}/lib/systemd/system \
-                         ${D}/usr/sbin"
-do_install() {
-    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
-    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
-}
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
new file mode 100644
index 000000000000..8b1cd8d4aba0
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
@@ -0,0 +1,14 @@
+# This software is a part of ISAR.
+inherit dpkg-raw
+
+DESCRIPTION = "Systemd service to regenerate sshd keys"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "openssh-server, systemd"
+
+SRC_URI = "file://postinst \
+           file://sshd-regen-keys.service"
+
+do_install() {
+    install -m 0755 "${D}/lib/systemd/system"
+    install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+}
-- 
2.26.3

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

Am Fri, 26 Mar 2021 08:35:51 +0100
schrieb "[ext] Henning Schild" <henning.schild@siemens.com>:

> Am Thu, 25 Mar 2021 19:53:46 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
> > On 25.03.21 15:30, Henning Schild wrote:  
> > > I am beginning to think we should fix that upstream. If the
> > > upstream service file would generate the keys if missing ... all
> > > isar would need to do is remove the files. Either with a package
> > > hook or with a image-postprocess
> > > 
> > > Am Thu, 25 Mar 2021 13:54:02 +0100
> > > schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> > >     
> > >> From: Jan Kiszka <jan.kiszka@siemens.com>
> > >>
> > >> This improves a number of things:
> > >>
> > >>  - stop the service while regenerating keys, rather than
> > >> disabling its auto-start    
> > > 
> > > Not sure this is going to work. There is this "Before=ssh.service"
> > > which i would expect makes sure it should never end up being
> > > "is-active". And that dpkg-reconfigure also plays with is-active
> > > ... /var/lib/dpkg/info/openssh-server.postinst
> > > 
> > > The idea was to reuse the key generation code from that postinst,
> > > but the construct we need to build to get that to work seems to be
> > > getting out of hand and too complicated. In fact it is
> > > systemd-only, which could be an issue for some.
> > > 
> > > Maybe running after ssh
> > > - remove
> > > - "create with own code"
> > >   - "copy those few ssh-keygen lines"
> > >   - or "source openssh-server.postinst && create_keys"
> > > - killall -HUP sshd (systemctl reload ssh)
> > > might turn out to be the simpler and easier to maintain version.
> > > 
> > > For sure Harald should be involved, did add him to Cc.
> > >     
> > 
> > I don't mind any simpler solution. It need to be robust as well,
> > that's all. The one we have so far once again fell apart today and
> > costed me hours to understand and resolve (because it was slow to
> > reproduce).  
> 
> What i proposed should hopefully be more robust and simpler, but i
> have no time to implement and test it.
> 
> What could be even simpler
> 
> /etc/systemd/system/sshd.service.d/generate-missing-keys.conf
>  [Service]
>  ExecStartPre=
>  ExecStartPre=/usr/bin/ssh-keygen -A
>  ExecStartPre=/usr/sbin/sshd -t
> 
> DEBIAN_DEPENDS="openssh-server"
> 
> postinst
>  rm -v /etc/ssh/ssh_host_*_key*
> 
> That ExecStartPre is what seems to be missing in the service file from
> debian because they seem to assume they fully deal with keys at
> installation time and never at runtime.
> Unfortunately we need 3 lines because we need to prepend before the
> "sshd -t". First to "overwrite", second "our content", third "content
> from original"

Because of that prepend and having to copy existing "ExecStartPre" into
the snippet, a Before-service is probably better. Because that simply
does not care what the original service might look like.
Did send a patch.

regards,
Henning


> Tried that manually on a system, with the systemd snippet you get new
> keys every time the exisiting ones go missing. 
> 
> regards,
> Henning
> 
> > 
> > Jan
> >   
> > > Henning
> > >     
> > >>  - fix restart test condition
> > >>  - also check that /tmp is writable (better safe than sorry)
> > >>  - do not disabling the regen service if it was not successful
> > >>
> > >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> > >> ---
> > >>
> > >> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
> > >> server if previously disabled".
> > >>
> > >>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
> > >>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
> > >> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb}
> > >> |  0 3 files changed, 9 insertions(+), 7 deletions(-)
> > >>  rename
> > >> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb =>
> > >> sshd-regen-keys_0.4.bb} (100%)  
> > >>
> > >> diff --git
> > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > >> index f50d34c8..e7142e69 100644 ---
> > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > >> +++
> > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > >> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
> > >> After=systemd-remount-fs.service Before=shutdown.target
> > >> ssh.service ConditionPathIsReadWrite=/etc
> > >> +ConditionPathIsReadWrite=/tmp [Service]
> > >>  Type=oneshot
> > >>  RemainAfterExit=yes
> > >>  Environment=DEBIAN_FRONTEND=noninteractive
> > >>  ExecStart=/usr/sbin/sshd-regen-keys.sh
> > >> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > >>  StandardOutput=syslog
> > >>  StandardError=syslog
> > >>  
> > >> diff --git
> > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > >> index 910d879b..9b19f9d3 100644 ---
> > >> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > >> +++
> > >> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > >> @@ -1,9 +1,9 @@ #!/usr/bin/env sh echo -n "SSH server is "
> > >> -if systemctl is-enabled ssh; then
> > >> -    SSHD_ENABLED="true"
> > >> -    systemctl disable --no-reload ssh
> > >> +if systemctl is-active ssh; then
> > >> +    SSHD_ACTIVE="true"
> > >> +    systemctl stop ssh
> > >>  fi
> > >>  
> > >>  echo "Removing keys ..."
> > >> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
> > >>  echo "Regenerating keys ..."
> > >>  dpkg-reconfigure openssh-server
> > >>  
> > >> -if test -n $SSHD_ENABLED; then
> > >> -    echo "Reenabling ssh server ..."
> > >> -    systemctl enable --no-reload ssh
> > >> +if test -n "$SSHD_ACTIVE"; then
> > >> +    echo "Restarting ssh server ..."
> > >> +    systemctl start ssh
> > >>  fi
> > >>  
> > >> +systemctl disable sshd-regen-keys.service
> > >> +
> > >>  sync
> > >> diff --git
> > >> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > >> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > >> similarity index 100% rename from
> > >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > >> rename to
> > >> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb    
> > >     
> >   
> 

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

This uses the same subject line as the patch from Jan, maybe i should
have used v2 or another line.

It is the outcome of the review on Jans patch but uses a different
approach on key regeneration.

Jan please test it and let me know what you think. Feel free to take
over and massage it further in case this looks like a valid approach.

regards,
Henning

Am Fri, 26 Mar 2021 09:11:08 +0100
schrieb Henning Schild <henning.schild@siemens.com>:

> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service
> starts and no keys exist. Removing the keys from openssh-server in a
> postinst makes it complete so that we really only generate on the
> first boot.
> 
> This is easier to handle that reusing the debian package hooks for key
> generation.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  .../sshd-regen-keys/files/postinst            |  2 ++
>  .../files/sshd-regen-keys.service             |  4 +---
>  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
>  delete mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete
> mode 100644
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create
> mode 100644
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> b/meta/recipes-support/sshd-regen-keys/files/postinst index
> ae722a7349a2..1c9b03e3e040 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/postinst +++
> b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@
>  #!/bin/sh
>  set -e
>  
> +rm /etc/ssh/ssh_host_*_key*
> +
>  systemctl enable sshd-regen-keys.service
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c820d8..af98d5e9e966 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot
> RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> +ExecStart=/usr/bin/ssh-keygen -A
>  StandardOutput=syslog
>  StandardError=syslog
>  
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> deleted file mode 100644 index 910d879ba51f..000000000000 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> /dev/null @@ -1,20 +0,0 @@
> -#!/usr/bin/env sh
> -
> -echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> -fi
> -
> -echo "Removing keys ..."
> -rm -v /etc/ssh/ssh_host_*_key*
> -
> -echo "Regenerating keys ..."
> -dpkg-reconfigure openssh-server
> -
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> -fi
> -
> -sync
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted
> file mode 100644 index 6f12414239a3..000000000000 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++
> /dev/null @@ -1,17 +0,0 @@
> -# This software is a part of ISAR.
> -inherit dpkg-raw
> -
> -DESCRIPTION = "Systemd service to regenerate sshd keys"
> -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> -DEBIAN_DEPENDS = "openssh-server, systemd"
> -
> -SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service \
> -           file://sshd-regen-keys.sh"
> -
> -do_install[cleandirs] = "${D}/lib/systemd/system \
> -                         ${D}/usr/sbin"
> -do_install() {
> -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" -}
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -m 0755 "${D}/lib/systemd/system"
> +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service" +}

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Harald Seiler]

Hi,

On Fri, 2021-03-26 at 09:11 +0100, Henning Schild wrote:
> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service starts
> and no keys exist. Removing the keys from openssh-server in a postinst
> makes it complete so that we really only generate on the first boot.
> 
> This is easier to handle that reusing the debian package hooks for key
> generation.

Yes, this is a _much_ more robust solution, I agree.  The debian hooks
were a mess to deal with and we had so many edge cases over time that not
relying on them here is a much better choice.  This also means the package
would now work on a target where dpkg was removed for size constraints.

> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  .../sshd-regen-keys/files/postinst            |  2 ++
>  .../files/sshd-regen-keys.service             |  4 +---
>  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20 -------------------
>  .../sshd-regen-keys/sshd-regen-keys_0.3.bb    | 17 ----------------
>  .../sshd-regen-keys/sshd-regen-keys_0.4.bb    | 14 +++++++++++++
>  5 files changed, 17 insertions(+), 40 deletions(-)
>  delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>  delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
>  create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
> index ae722a7349a2..1c9b03e3e040 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/postinst
> +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> @@ -1,4 +1,6 @@
>  #!/bin/sh
>  set -e
>  
> 
> +rm /etc/ssh/ssh_host_*_key*
> +

Just to make sure, this will always run after the openssh-server postinst
which initially generates the keys?

>  systemctl enable sshd-regen-keys.service
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c820d8..af98d5e9e966 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc
>  [Service]
>  Type=oneshot
>  RemainAfterExit=yes
> -Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> +ExecStart=/usr/bin/ssh-keygen -A
>  StandardOutput=syslog
>  StandardError=syslog

This is also much cleaner because it no longer relies on the "self
disabling service hack".  Much preferred!  Not sure if worth it,
because ssh-keygen already ignores existing keys, but maybe we could add
some

  ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
  ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
  ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key

(== systemd will skip the unit if all keys are present).  This would also
hide the service in the startup log when all keys exist where it would
otherwise show up unconditionally.

> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> deleted file mode 100644
> index 910d879ba51f..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -#!/usr/bin/env sh
> -
> -echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> -fi
> -
> -echo "Removing keys ..."
> -rm -v /etc/ssh/ssh_host_*_key*
> -
> -echo "Regenerating keys ..."
> -dpkg-reconfigure openssh-server
> -
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> -fi
> -
> -sync
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> deleted file mode 100644
> index 6f12414239a3..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -# This software is a part of ISAR.
> -inherit dpkg-raw
> -
> -DESCRIPTION = "Systemd service to regenerate sshd keys"
> -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> -DEBIAN_DEPENDS = "openssh-server, systemd"
> -
> -SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service \
> -           file://sshd-regen-keys.sh"
> -
> -do_install[cleandirs] = "${D}/lib/systemd/system \
> -                         ${D}/usr/sbin"
> -do_install() {
> -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
> -}
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> new file mode 100644
> index 000000000000..8b1cd8d4aba0
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -m 0755 "${D}/lib/systemd/system"
> +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +}
> -- 
> 2.26.3

Otherwise:

Reviewed-by: Harald Seiler <hws@denx.de>

-- 
Harald

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

Am Fri, 26 Mar 2021 10:44:39 +0100
schrieb Harald Seiler <hws@denx.de>:

> Hi,
> 
> On Fri, 2021-03-26 at 09:11 +0100, Henning Schild wrote:
> > Switch to using "/usr/bin/ssh-keygen -A" instead of
> > dpkg-reconfigure. With this we would generate new host keys every
> > time the service starts and no keys exist. Removing the keys from
> > openssh-server in a postinst makes it complete so that we really
> > only generate on the first boot.
> > 
> > This is easier to handle that reusing the debian package hooks for
> > key generation.  
> 
> Yes, this is a _much_ more robust solution, I agree.  The debian hooks
> were a mess to deal with and we had so many edge cases over time that
> not relying on them here is a much better choice.  This also means
> the package would now work on a target where dpkg was removed for
> size constraints.

Thanks for the positive review.

@Jan did you get around testing this for your use-case?

Henning

> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  .../sshd-regen-keys/files/postinst            |  2 ++
> >  .../files/sshd-regen-keys.service             |  4 +---
> >  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
> >  delete mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > delete mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create
> > mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > 
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> > b/meta/recipes-support/sshd-regen-keys/files/postinst index
> > ae722a7349a2..1c9b03e3e040 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/postinst +++
> > b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6
> > @@ #!/bin/sh
> >  set -e
> >  
> > 
> > +rm /etc/ssh/ssh_host_*_key*
> > +  
> 
> Just to make sure, this will always run after the openssh-server
> postinst which initially generates the keys?
> 
> >  systemctl enable sshd-regen-keys.service
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index f50d34c820d8..af98d5e9e966 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service]
> > Type=oneshot RemainAfterExit=yes
> > -Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/usr/sbin/sshd-regen-keys.sh
> > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog
> >  StandardError=syslog  
> 
> This is also much cleaner because it no longer relies on the "self
> disabling service hack".  Much preferred!  Not sure if worth it,
> because ssh-keygen already ignores existing keys, but maybe we could
> add some
> 
>   ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
>   ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
>   ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> 
> (== systemd will skip the unit if all keys are present).  This would
> also hide the service in the startup log when all keys exist where it
> would otherwise show up unconditionally.
> 
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > deleted file mode 100644 index 910d879ba51f..000000000000 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> > /dev/null @@ -1,20 +0,0 @@
> > -#!/usr/bin/env sh
> > -
> > -echo -n "SSH server is "
> > -if systemctl is-enabled ssh; then
> > -    SSHD_ENABLED="true"
> > -    systemctl disable --no-reload ssh
> > -fi
> > -
> > -echo "Removing keys ..."
> > -rm -v /etc/ssh/ssh_host_*_key*
> > -
> > -echo "Regenerating keys ..."
> > -dpkg-reconfigure openssh-server
> > -
> > -if test -n $SSHD_ENABLED; then
> > -    echo "Reenabling ssh server ..."
> > -    systemctl enable --no-reload ssh
> > -fi
> > -
> > -sync
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > deleted file mode 100644 index 6f12414239a3..000000000000 ---
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++
> > /dev/null @@ -1,17 +0,0 @@
> > -# This software is a part of ISAR.
> > -inherit dpkg-raw
> > -
> > -DESCRIPTION = "Systemd service to regenerate sshd keys"
> > -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > -DEBIAN_DEPENDS = "openssh-server, systemd"
> > -
> > -SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service \
> > -           file://sshd-regen-keys.sh"
> > -
> > -do_install[cleandirs] = "${D}/lib/systemd/system \
> > -                         ${D}/usr/sbin"
> > -do_install() {
> > -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd-regen-keys.sh" -}
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> > file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > @@ -0,0 +1,14 @@
> > +# This software is a part of ISAR.
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Systemd service to regenerate sshd keys"
> > +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > +DEBIAN_DEPENDS = "openssh-server, systemd"
> > +
> > +SRC_URI = "file://postinst \
> > +           file://sshd-regen-keys.service"
> > +
> > +do_install() {
> > +    install -m 0755 "${D}/lib/systemd/system"
> > +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service" +}
> > -- 
> > 2.26.3  
> 
> Otherwise:
> 
> Reviewed-by: Harald Seiler <hws@denx.de>
> 

Re: [PATCH] sshd-regen-keys: Improve service, make more robust

[Henning Schild]

Am Fri, 26 Mar 2021 09:11:08 +0100
schrieb Henning Schild <henning.schild@siemens.com>:

> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service
> starts and no keys exist. Removing the keys from openssh-server in a
> postinst makes it complete so that we really only generate on the
> first boot.
> 
> This is easier to handle that reusing the debian package hooks for key
> generation.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  .../sshd-regen-keys/files/postinst            |  2 ++
>  .../files/sshd-regen-keys.service             |  4 +---
>  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
>  delete mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete
> mode 100644
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create
> mode 100644
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> b/meta/recipes-support/sshd-regen-keys/files/postinst index
> ae722a7349a2..1c9b03e3e040 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/postinst +++
> b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@
>  #!/bin/sh
>  set -e
>  
> +rm /etc/ssh/ssh_host_*_key*
> +
>  systemctl enable sshd-regen-keys.service
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c820d8..af98d5e9e966 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot
> RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> +ExecStart=/usr/bin/ssh-keygen -A
>  StandardOutput=syslog
>  StandardError=syslog
>  
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> deleted file mode 100644 index 910d879ba51f..000000000000 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> /dev/null @@ -1,20 +0,0 @@
> -#!/usr/bin/env sh
> -
> -echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> -fi
> -
> -echo "Removing keys ..."
> -rm -v /etc/ssh/ssh_host_*_key*
> -
> -echo "Regenerating keys ..."
> -dpkg-reconfigure openssh-server
> -
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> -fi
> -
> -sync
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted
> file mode 100644 index 6f12414239a3..000000000000 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++
> /dev/null @@ -1,17 +0,0 @@
> -# This software is a part of ISAR.
> -inherit dpkg-raw
> -
> -DESCRIPTION = "Systemd service to regenerate sshd keys"
> -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> -DEBIAN_DEPENDS = "openssh-server, systemd"
> -
> -SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service \
> -           file://sshd-regen-keys.sh"
> -
> -do_install[cleandirs] = "${D}/lib/systemd/system \
> -                         ${D}/usr/sbin"
> -do_install() {
> -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" -}
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -m 0755 "${D}/lib/systemd/system"

missing "-d" will send v2

> +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service" +}