From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6605190724631658496
X-Received: by 2002:a50:ba57:: with SMTP id 23-v6mr5936977eds.7.1539087196821;
        Tue, 09 Oct 2018 05:13:16 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a50:8e89:: with SMTP id w9-v6ls1391897edw.7.gmail; Tue, 09
 Oct 2018 05:13:16 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62Y5es0+R5lnXog1Yvzp5eEaWyJXylxcdrE5D25TXVDAgFrm14S7XDQX7GxoZ5V0476KvRh
X-Received: by 2002:a50:89fc:: with SMTP id h57-v6mr5956313edh.4.1539087196479;
        Tue, 09 Oct 2018 05:13:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539087196; cv=none;
        d=google.com; s=arc-20160816;
        b=Wt87hIWjsJiB0jKp9kA4NPWZHFNbJa2ji5FVLlZ9zPNedZL5LMAg5CIH/cI05/UZwe
         wxmPlh5pZYqSisXjHI5fVVuZ+b/SmAQNecEaBFs9BhHQWkrQEAvBxf/4o0Q/qRW+Czvs
         Sd6MbS3xhF55NMa0J8qGnmoG1JcMgzbKtryj8zRg14PgJCtNKf6hqrJ8sRkkk6vVMlmM
         bvCv3d/ZjrTjUgQ5Ku/4NaEF9QhuwvaC2y26xjJQ08iIzSCXnbcg7baHz/71koxmktXR
         CkYmjYh/cLg8bcAPYQHxFduWl2uvfrOX8AyLTCHYON2Mya6d2OycdRPicGO/NCKqKyV0
         7d5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:user-agent:references
         :in-reply-to:date:cc:to:from:subject:message-id;
        bh=B/Z+cnprGecoIuKNTErfVoFH9lkqO1ZdEDGR/7Pl/bk=;
        b=DpVlNSC9XERegIe1Q4VnlupTbwyKcwMGEwrRkAQbFbESMzwLCyeSEIftaBIqAP3Q9T
         +EJrH/Lcxp5NEEl6CWzurp11wraQP978N9uoovj+/GATsk0pjaC5017wliwarg4L+DMB
         +KLc2i+MSawjmHQpscCtQSEBuUdluzUJAf+zsNrm3SMEo7eZn5C9TIYSlF+DRnu1JW3k
         myMgyQ3ky2rZHaFE1Xkc3wPrJwFIFVeMwtNcLOaRD1lPJegH3Dsr51lWIe2XASLBegoi
         vwCvY47uZo98UgqSvXOqM6CCWgvHw5VEJv17DFU90CtwmOKVGexxwevG0v5U7ZBCHTVm
         jY2Q==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Return-Path: <hws@denx.de>
Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9])
        by gmr-mx.google.com with ESMTPS id f18-v6si717591edj.3.2018.10.09.05.13.16
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 09 Oct 2018 05:13:16 -0700 (PDT)
Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) client-ip=212.18.0.9;
Authentication-Results: gmr-mx.google.com;
       spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
	by mail-out.m-online.net (Postfix) with ESMTP id 42Tx2h1V2Mz1r3nN;
	Tue,  9 Oct 2018 14:13:16 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.70])
	by mail.m-online.net (Postfix) with ESMTP id 42Tx2h1G92z1qtdw;
	Tue,  9 Oct 2018 14:13:16 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
	by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024)
	with ESMTP id xHP1-EGtw8v8; Tue,  9 Oct 2018 14:13:15 +0200 (CEST)
X-Auth-Info: Rm77JTRuuDRcjFcyNhmZaKG3KIiX8h5uUcd0ayKaTZ0=
Received: from sandvich (p5B04CDC9.dip0.t-ipconnect.de [91.4.205.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.mnet-online.de (Postfix) with ESMTPSA;
	Tue,  9 Oct 2018 14:13:15 +0200 (CEST)
Message-ID: <b2acf3f531562e40e4e4a054400da929b0519552.camel@denx.de>
Subject: [PATCH v4] meta: Add recipe to regenerate ssh host keys
From: Harald Seiler <hws@denx.de>
To: Henning Schild <henning.schild@siemens.com>
Cc: isar-users@googlegroups.com
Date: Tue, 09 Oct 2018 14:13:14 +0200
In-Reply-To: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
References: <20181002195659.44b929fc@md1pvb1c.ad001.siemens.net>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TUID: kPy2bvSLeAwH

sshd-regen-keys is a systemd unit that will run
at first boot and force sshd to generate new
host keys.

This prevents all devices using the same keys.

Also adds sshd-regen-keys to qemuamd64-buster.conf
to ensure CI coverage.

Signed-off-by: Harald Seiler <hws@denx.de>
---
This version removes an unnecessary sudo in do_install

 meta-isar/conf/multiconfig/qemuamd64-buster.conf      |  2 ++
 meta/recipes-support/sshd-regen-keys/files/postinst   |  4 ++++
 .../sshd-regen-keys/files/sshd-regen-keys.service     | 19 +++++++++++++++++++
 .../sshd-regen-keys/sshd-regen-keys_0.1.bb            | 14 ++++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/postinst
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
 create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb

diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
index 059ea00..bd18fcc 100644
--- a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
+++ b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
@@ -11,6 +11,8 @@ IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "sdimage-efi"
 IMAGER_INSTALL += "${GRUB_BOOTLOADER_INSTALL}"
 
+IMAGE_INSTALL += "sshd-regen-keys"
+
 QEMU_ARCH ?= "x86_64"
 QEMU_MACHINE ?= "q35"
 QEMU_CPU ?= ""
diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
new file mode 100644
index 0000000..ae722a7
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/postinst
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+
+systemctl enable sshd-regen-keys.service
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
new file mode 100644
index 0000000..3b8231f
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Regenerate sshd host keys
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=shutdown.target sshd.service
+ConditionPathIsReadWrite=/etc
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=DEBIAN_FRONTEND=noninteractive
+ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
new file mode 100644
index 0000000..02e9e25
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
@@ -0,0 +1,14 @@
+# This software is a part of ISAR.
+inherit dpkg-raw
+
+DESCRIPTION = "Systemd service to regenerate sshd keys"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "openssh-server, systemd"
+
+SRC_URI = "file://postinst \
+           file://sshd-regen-keys.service"
+
+do_install() {
+    install -v -d -m 755 "${D}/lib/systemd/system"
+    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+}
-- 
2.14.1