From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:a1c:13d3:: with SMTP id 202-v6mr158069wmt.1.1537890807010;
        Tue, 25 Sep 2018 08:53:27 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a7b:c149:: with SMTP id z9-v6ls2604018wmi.11.gmail; Tue, 25
 Sep 2018 08:53:26 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62CVsoZEY9vTj/K9rRjfMFlLboh8rlbqtHRAt3QIDChr+3oBkLr0NVosbG6RppGyO3KRCh4
X-Received: by 2002:a1c:160e:: with SMTP id 14-v6mr184520wmw.12.1537890806576;
        Tue, 25 Sep 2018 08:53:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537890806; cv=none;
        d=google.com; s=arc-20160816;
        b=KzoDmjCuXSBIbENelO+jlD8okVjR9YenbbrrnsJ/ejXuJH/U0/U6cWdAIh6Yo4EOZT
         KVTMpLQzNAidhbpELWDdK8uqQBHluLZhP6QFAYo4RTiw044s615iPcZ6Df41fRuz4B1q
         prSy9rrAMZZL2UKTXSNSQEh1loIRPW5/5TASzLfuhNn5Bt73FJuJAI74fINQ5TbDV/bu
         fgrJf59sNVmnAgiEox+8Y3nhgpxrjQZsUZCuSbsbn8qrCDGO5WQVn1Rre0ZVU8WwQ2Dr
         BLagMUP2ID93P9z+VC5gCFT8VDP1RmosAKUtlFdvXydqmfjKTNHFCGagoGgfXVY4R57w
         SGcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:user-agent:date:to:from
         :subject:message-id;
        bh=v/IuoWfFXraK8j6zs5UUhXX26ioatgPFyWpZZgLblI4=;
        b=qIp5HzEEjoEUFAYMh3SOmTVsU8MaL8OLRXniq0+h5C59Pus87cj/fppVGNbzL5VqNc
         u3MGZ1bhu0XSkBdesdrpT8mwv5wTLHGi2LriaCJIsOAOxDyE+JABAn97AcLtbZFHKwdE
         er5jlectv/bGfz3EcO8Zo8KLhixcbof79V/9yOi/WR4eWlBKocA/DtOBVrwLYPvlODHP
         cqKGy4sHKzknNvppgntUOMimJyM4NjEh6nLCVLZVdtFRYniywGeFDOUFJeqT2z1DTEQa
         y880q8XyHYOpI7FaYc2ZRiSz7/aAVCzrpWRcEVyi4powVmxLaNmU6tWnj84oeYrPWTi8
         kY8w==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Return-Path: <hws@denx.de>
Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9])
        by gmr-mx.google.com with ESMTPS id q7-v6si76380wmf.1.2018.09.25.08.53.26
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 25 Sep 2018 08:53:26 -0700 (PDT)
Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) client-ip=212.18.0.9;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
	by mail-out.m-online.net (Postfix) with ESMTP id 42KQbB2R8Sz1qyLJ
	for <isar-users@googlegroups.com>; Tue, 25 Sep 2018 17:53:26 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.70])
	by mail.m-online.net (Postfix) with ESMTP id 42KQbB2HrFz1qql7
	for <isar-users@googlegroups.com>; Tue, 25 Sep 2018 17:53:26 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
	by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024)
	with ESMTP id Y3kimDYsSJuO for <isar-users@googlegroups.com>;
	Tue, 25 Sep 2018 17:53:25 +0200 (CEST)
X-Auth-Info: n6rGFVAO6GOWtrshmCGNaUgLTObuNMfhpxb6zoYjDGc=
Received: from sandvich (p5B04CE1D.dip0.t-ipconnect.de [91.4.206.29])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.mnet-online.de (Postfix) with ESMTPSA
	for <isar-users@googlegroups.com>; Tue, 25 Sep 2018 17:53:20 +0200 (CEST)
Message-ID: <72b02e7ac7ff8a3079d8b988e541da37396363c3.camel@denx.de>
Subject: [PATCH] meta: Add recipe to regenerate ssh host keys
From: Harald Seiler <hws@denx.de>
To: isar-users@googlegroups.com
Date: Tue, 25 Sep 2018 17:53:19 +0200
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.0 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TUID: T0PcVPYu4FMR

sshd-regen-keys is a systemd unit that will run
at first boot and force sshd to generate new
host keys.

This prevents all devices using the same keys.

Signed-off-by: Harald Seiler <hws@denx.de>
---
 meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
 .../sshd-regen-keys/files/sshd-regen-keys.service     | 19 +++++++++++++++++++
 .../sshd-regen-keys/sshd-regen-keys.bb                | 15 +++++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/postinst
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
 create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb

diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
new file mode 100644
index 0000000..ae722a7
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+
+systemctl enable sshd-regen-keys.service
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
new file mode 100644
index 0000000..3b8231f
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Regenerate sshd host keys
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=shutdown.target sshd.service
+ConditionPathIsReadWrite=/etc
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=DEBIAN_FRONTEND=noninteractive
+ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
new file mode 100644
index 0000000..3b196c2
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys.bb
@@ -0,0 +1,15 @@
+# This software is a part of ISAR.
+
+DESCRIPTION = "Systemd service to regenerate sshd keys"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "openssh-server"
+
+SRC_URI = "file://postinst \
+           file://sshd-regen-keys.service"
+
+inherit dpkg-raw
+
+do_install() {
+    sudo install -v -d -m 755 "${D}/lib/systemd/system"
+    sudo install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+}