From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:a19:1a8d:: with SMTP id a135-v6mr697155lfa.0.1539074527944;
        Tue, 09 Oct 2018 01:42:07 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a19:6817:: with SMTP id d23-v6ls90454lfc.60.gmail; Tue, 09
 Oct 2018 01:42:07 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60q/gGtFmjnxe5PTnnveBwFZUyrqfx3LBtk5kxmPSwMahJOBt5he0fS2nDy1xIBAhbsZuN5
X-Received: by 2002:a19:e307:: with SMTP id a7-v6mr678456lfh.3.1539074527312;
        Tue, 09 Oct 2018 01:42:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539074527; cv=none;
        d=google.com; s=arc-20160816;
        b=GsjpLpItoUlr1dImLSD9OYikySgbGBwlWIie7dNs2gAVSTohxcGN3pL/JuJ61yep4R
         +PolYjLANFUcWOjwviLCisgNGgSPvTA4aXNrYbQE+QlgjYaboHd5ZBYjpthd2mQUnCTg
         sNTcUc8XBMl5D/emBdXt+KGyfZYBlcYthIxjp5dKlMk3bY641tK/wY6nA1A27vJ/q3SH
         u4Y88UsQgSj+y/Zd7tMO6i7Rlo5LDdUI1o1Fe/fP1nk0/rEEZt5uUzL2BAi4/MJ9dK56
         YAu2XwIgegcEz3k4RM6kVNeMu3oOrF66P0tXyGeVErkjbsuBrMmAYThjR1oqpZv5533I
         f6Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:user-agent:references
         :in-reply-to:date:cc:to:from:subject:message-id;
        bh=zDXbogw1ZmJJZs5tl2OO80/hSI5a0HVikHrOD4/b1js=;
        b=xgZB2Juec/shtdwr9o/VmhS4li1LRVXIA6CP6hfCrtDSoYYILrJihBE657BuALTK7e
         R7v6/mKIc6/p7OJBp1uug21okI3mea8udB4KOVDu1nxqCtF219gzsV+7tz9S+rdn1vu6
         JBgEJtcQ8SmItVCRq2EE+Q9tYxX2aTWLVrGaYBOuQWvJegTFZqFC0sQ4RqQE18v456BT
         /XTm1+QADLd1kbLOt5FzRhmqeGyNuQZk/o46Yb16n1DAzT2s/kPtZt1xO6tU4HVN8V7F
         jmZKlQpEqdCdebJ43NRDlCMdMdGpeOagXTUI28oREqxBxxBjSt+z4Ci7TmSah/LBrmjw
         RwOQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Return-Path: <hws@denx.de>
Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9])
        by gmr-mx.google.com with ESMTPS id a79-v6si691809ljf.1.2018.10.09.01.42.07
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 09 Oct 2018 01:42:07 -0700 (PDT)
Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) client-ip=212.18.0.9;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
	by mail-out.m-online.net (Postfix) with ESMTP id 42TrM24gbpz1qxWD;
	Tue,  9 Oct 2018 10:42:06 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.70])
	by mail.m-online.net (Postfix) with ESMTP id 42TrM24HKsz1qtdt;
	Tue,  9 Oct 2018 10:42:06 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
	by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024)
	with ESMTP id KDWyrHzj1CSF; Tue,  9 Oct 2018 10:42:04 +0200 (CEST)
X-Auth-Info: HWbyvtUOsIcZQ1Sq+DLQ2P0V5BguNg0kG7bIW68ZDHM=
Received: from sandvich (p5B04CDC9.dip0.t-ipconnect.de [91.4.205.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.mnet-online.de (Postfix) with ESMTPSA;
	Tue,  9 Oct 2018 10:42:04 +0200 (CEST)
Message-ID: <6640e0d481695fb7f5c8ef8e7ab9e4588b984fca.camel@denx.de>
Subject: [PATCH v3] meta: Add recipe to regenerate ssh host keys
From: Harald Seiler <hws@denx.de>
To: Henning Schild <henning.schild@siemens.com>
Cc: isar-users@googlegroups.com
Date: Tue, 09 Oct 2018 10:42:03 +0200
In-Reply-To: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
References: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TUID: L8QRYDbo3dHE

sshd-regen-keys is a systemd unit that will run
at first boot and force sshd to generate new
host keys.

This prevents all devices using the same keys.

Also adds sshd-regen-keys to qemuamd64-buster.conf
to ensure CI coverage.

Signed-off-by: Harald Seiler <hws@denx.de>
---
 meta-isar/conf/multiconfig/qemuamd64-buster.conf      |  2 ++
 meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
 .../sshd-regen-keys/files/sshd-regen-keys.service     | 19 +++++++++++++++++++
 .../sshd-regen-keys/sshd-regen-keys_0.1.bb            | 15 +++++++++++++++
 4 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/postinst
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
 create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb

diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
index 059ea00..bd18fcc 100644
--- a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
+++ b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
@@ -11,6 +11,8 @@ IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "sdimage-efi"
 IMAGER_INSTALL += "${GRUB_BOOTLOADER_INSTALL}"
 
+IMAGE_INSTALL += "sshd-regen-keys"
+
 QEMU_ARCH ?= "x86_64"
 QEMU_MACHINE ?= "q35"
 QEMU_CPU ?= ""
diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
new file mode 100644
index 0000000..ae722a7
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+
+systemctl enable sshd-regen-keys.service
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
new file mode 100644
index 0000000..3b8231f
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Regenerate sshd host keys
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=shutdown.target sshd.service
+ConditionPathIsReadWrite=/etc
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=DEBIAN_FRONTEND=noninteractive
+ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
new file mode 100644
index 0000000..06e0cc4
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
@@ -0,0 +1,15 @@
+# This software is a part of ISAR.
+
+DESCRIPTION = "Systemd service to regenerate sshd keys"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "openssh-server, systemd"
+
+SRC_URI = "file://postinst \
+           file://sshd-regen-keys.service"
+
+inherit dpkg-raw
+
+do_install() {
+    sudo install -v -d -m 755 "${D}/lib/systemd/system"
+    sudo install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+}
-- 
Harald Seiler <hws@denx.de>