[PATCH v2] sshd-regen-keys: Improve service, make more robust

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

* [PATCH v2] sshd-regen-keys: Improve service, make more robust
@ 2021-03-30 10:17 Henning Schild
  2021-04-08  8:24 ` Anton Mikanovich
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Henning Schild @ 2021-03-30 10:17 UTC (permalink / raw)
  To: isar-users; +Cc: Jan Kiszka, Harald Seiler, Henning Schild

Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
With this we would generate new host keys every time the service starts
and no keys exist. Removing the keys from openssh-server in a postinst
makes it complete so that we really only generate on the first boot.

This is easier to handle that reusing the debian package hooks for key
generation.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 .../sshd-regen-keys/files/postinst            |  2 ++
 .../files/sshd-regen-keys.service             |  4 +---
 .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20 -------------------
 .../sshd-regen-keys/sshd-regen-keys_0.3.bb    | 17 ----------------
 .../sshd-regen-keys/sshd-regen-keys_0.4.bb    | 14 +++++++++++++
 5 files changed, 17 insertions(+), 40 deletions(-)
 delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
 delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
 create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb

diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
index ae722a7349a2..1c9b03e3e040 100644
--- a/meta/recipes-support/sshd-regen-keys/files/postinst
+++ b/meta/recipes-support/sshd-regen-keys/files/postinst
@@ -1,4 +1,6 @@
 #!/bin/sh
 set -e
 
+rm /etc/ssh/ssh_host_*_key*
+
 systemctl enable sshd-regen-keys.service
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index f50d34c820d8..af98d5e9e966 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=/usr/sbin/sshd-regen-keys.sh
-ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
+ExecStart=/usr/bin/ssh-keygen -A
 StandardOutput=syslog
 StandardError=syslog
 
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
deleted file mode 100644
index 910d879ba51f..000000000000
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env sh
-
-echo -n "SSH server is "
-if systemctl is-enabled ssh; then
-    SSHD_ENABLED="true"
-    systemctl disable --no-reload ssh
-fi
-
-echo "Removing keys ..."
-rm -v /etc/ssh/ssh_host_*_key*
-
-echo "Regenerating keys ..."
-dpkg-reconfigure openssh-server
-
-if test -n $SSHD_ENABLED; then
-    echo "Reenabling ssh server ..."
-    systemctl enable --no-reload ssh
-fi
-
-sync
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
deleted file mode 100644
index 6f12414239a3..000000000000
--- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-# This software is a part of ISAR.
-inherit dpkg-raw
-
-DESCRIPTION = "Systemd service to regenerate sshd keys"
-MAINTAINER = "isar-users <isar-users@googlegroups.com>"
-DEBIAN_DEPENDS = "openssh-server, systemd"
-
-SRC_URI = "file://postinst \
-           file://sshd-regen-keys.service \
-           file://sshd-regen-keys.sh"
-
-do_install[cleandirs] = "${D}/lib/systemd/system \
-                         ${D}/usr/sbin"
-do_install() {
-    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
-    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
-}
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
new file mode 100644
index 000000000000..9ce1d8d88300
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
@@ -0,0 +1,14 @@
+# This software is a part of ISAR.
+inherit dpkg-raw
+
+DESCRIPTION = "Systemd service to regenerate sshd keys"
+MAINTAINER = "isar-users <isar-users@googlegroups.com>"
+DEBIAN_DEPENDS = "openssh-server, systemd"
+
+SRC_URI = "file://postinst \
+           file://sshd-regen-keys.service"
+
+do_install() {
+    install -d -m 0755 "${D}/lib/systemd/system"
+    install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+}
-- 
2.26.3


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-03-30 10:17 [PATCH v2] sshd-regen-keys: Improve service, make more robust Henning Schild
@ 2021-04-08  8:24 ` Anton Mikanovich
  2021-04-08  8:50   ` Jan Kiszka
  2021-04-08 10:02 ` Anton Mikanovich
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 8+ messages in thread
From: Anton Mikanovich @ 2021-04-08  8:24 UTC (permalink / raw)
  To: Henning Schild, isar-users; +Cc: Jan Kiszka, Harald Seiler

30.03.2021 13:17, Henning Schild wrote:
> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service starts
> and no keys exist. Removing the keys from openssh-server in a postinst
> makes it complete so that we really only generate on the first boot.
>
> This is easier to handle that reusing the debian package hooks for key
> generation.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>

Looks good, waiting for Jan to approve.

-- 
Anton Mikanovich
Promwad Ltd.
External service provider of ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn, Germany
+49 (89) 122 67 24-0
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-04-08  8:24 ` Anton Mikanovich
@ 2021-04-08  8:50   ` Jan Kiszka
  0 siblings, 0 replies; 8+ messages in thread
From: Jan Kiszka @ 2021-04-08  8:50 UTC (permalink / raw)
  To: Anton Mikanovich, Henning Schild, isar-users; +Cc: Harald Seiler

On 08.04.21 10:24, Anton Mikanovich wrote:
> 30.03.2021 13:17, Henning Schild wrote:
>> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
>> With this we would generate new host keys every time the service starts
>> and no keys exist. Removing the keys from openssh-server in a postinst
>> makes it complete so that we really only generate on the first boot.
>>
>> This is easier to handle that reusing the debian package hooks for key
>> generation.
>>
>> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> 
> Looks good, waiting for Jan to approve.
> 

Just checked this with my problematic setup, and the patch works as it
should.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-03-30 10:17 [PATCH v2] sshd-regen-keys: Improve service, make more robust Henning Schild
  2021-04-08  8:24 ` Anton Mikanovich
@ 2021-04-08 10:02 ` Anton Mikanovich
  2021-04-28 12:21 ` Moessbauer, Felix
  2021-11-18 11:10 ` Gylstorff Quirin
  3 siblings, 0 replies; 8+ messages in thread
From: Anton Mikanovich @ 2021-04-08 10:02 UTC (permalink / raw)
  To: Henning Schild, isar-users; +Cc: Jan Kiszka, Harald Seiler

30.03.2021 13:17, Henning Schild wrote:
> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service starts
> and no keys exist. Removing the keys from openssh-server in a postinst
> makes it complete so that we really only generate on the first boot.
>
> This is easier to handle that reusing the debian package hooks for key
> generation.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>

Applied to next, thanks.

-- 
Anton Mikanovich
Promwad Ltd.
External service provider of ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn, Germany
+49 (89) 122 67 24-0
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-03-30 10:17 [PATCH v2] sshd-regen-keys: Improve service, make more robust Henning Schild
  2021-04-08  8:24 ` Anton Mikanovich
  2021-04-08 10:02 ` Anton Mikanovich
@ 2021-04-28 12:21 ` Moessbauer, Felix
  2021-04-28 17:22   ` Henning Schild
  2021-11-18 11:10 ` Gylstorff Quirin
  3 siblings, 1 reply; 8+ messages in thread
From: Moessbauer, Felix @ 2021-04-28 12:21 UTC (permalink / raw)
  To: henning.schild, isar-users; +Cc: jan.kiszka, Harald Seiler

Hi,

While this patch definitely improves the situation, there are still a couple of issues:

1. Reinstalling:
When apt-get updating the package, the host's ssh-keys are removed.
IMO it would be better to create a backup in the pre-rm step and restore that in postinst.
An alternative would be, to remove the ssh keys using ISAR in a post-processing step.
Then no postinst script is required (that's similar to how the sshd-keygen@.service in fedora works).

2. Systemd dependencies:
It has to run as early as possible and anyways before the sshd-service.
On some systems like fedora, there is already a sshd-keygen@.service that takes care of re-generating the keys if they are not present (as part of the openssh-server package).
We should conflict on that, or better auto-disable in case this service is installed.
I don't know if Debian plans to add something similar.

3. Compatibility with upstream
If more distros accept the sshd-keygen service approach, we do not want to diverge here.
Maybe, it would be better to just port this approach to Debian / ISAR and deploy images without pre-installed ssh-keys.

Best regards,
Felix

> -----Original Message-----
> From: isar-users@googlegroups.com <isar-users@googlegroups.com> On
> Behalf Of [ext] Henning Schild
> Sent: Tuesday, March 30, 2021 12:17 PM
> To: isar-users <isar-users@googlegroups.com>
> Cc: Kiszka, Jan (T RDA IOT) <jan.kiszka@siemens.com>; Harald Seiler
> <hws@denx.de>; Schild, Henning (T RDA IOT SES-DE)
> <henning.schild@siemens.com>
> Subject: [PATCH v2] sshd-regen-keys: Improve service, make more robust
> 
> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service starts and no
> keys exist. Removing the keys from openssh-server in a postinst makes it
> complete so that we really only generate on the first boot.
> 
> This is easier to handle that reusing the debian package hooks for key
> generation.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  .../sshd-regen-keys/files/postinst            |  2 ++
>  .../files/sshd-regen-keys.service             |  4 +---
>  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20 -------------------
>  .../sshd-regen-keys/sshd-regen-keys_0.3.bb    | 17 ----------------
>  .../sshd-regen-keys/sshd-regen-keys_0.4.bb    | 14 +++++++++++++
>  5 files changed, 17 insertions(+), 40 deletions(-)  delete mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>  delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-
> keys_0.3.bb
>  create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-
> keys_0.4.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> b/meta/recipes-support/sshd-regen-keys/files/postinst
> index ae722a7349a2..1c9b03e3e040 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/postinst
> +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> @@ -1,4 +1,6 @@
>  #!/bin/sh
>  set -e
> 
> +rm /etc/ssh/ssh_host_*_key*
> +
>  systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-
> support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-
> support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c820d8..af98d5e9e966 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc  [Service]  Type=oneshot
> RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> +ExecStart=/usr/bin/ssh-keygen -A
>  StandardOutput=syslog
>  StandardError=syslog
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> deleted file mode 100644
> index 910d879ba51f..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -#!/usr/bin/env sh
> -
> -echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> -fi
> -
> -echo "Removing keys ..."
> -rm -v /etc/ssh/ssh_host_*_key*
> -
> -echo "Regenerating keys ..."
> -dpkg-reconfigure openssh-server
> -
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> -fi
> -
> -sync
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> deleted file mode 100644
> index 6f12414239a3..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -# This software is a part of ISAR.
> -inherit dpkg-raw
> -
> -DESCRIPTION = "Systemd service to regenerate sshd keys"
> -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> -DEBIAN_DEPENDS = "openssh-server, systemd"
> -
> -SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service \
> -           file://sshd-regen-keys.sh"
> -
> -do_install[cleandirs] = "${D}/lib/systemd/system \
> -                         ${D}/usr/sbin"
> -do_install() {
> -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-
> regen-keys.sh"
> -}
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> new file mode 100644
> index 000000000000..9ce1d8d88300
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -d -m 0755 "${D}/lib/systemd/system"
> +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> +}
> --
> 2.26.3
> 
> --
> You received this message because you are subscribed to the Google Groups
> "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to isar-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.g
> oogle.com%2Fd%2Fmsgid%2Fisar-users%2F20210330101722.10371-1-
> henning.schild%2540siemens.com&amp;data=04%7C01%7Cfelix.moessbauer%4
> 0siemens.com%7Ccf1624cf55db4c9c706708d8f36509a3%7C38ae3bcd95794fd4
> addab42e1495d55a%7C1%7C0%7C637526962559188131%7CUnknown%7CTWF
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C1000&amp;sdata=bM6bgFd1Yq4Vo2tMGrR7GHzRWgSAQMB90vu
> %2BHOa2eZ4%3D&amp;reserved=0.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-04-28 12:21 ` Moessbauer, Felix
@ 2021-04-28 17:22   ` Henning Schild
  0 siblings, 0 replies; 8+ messages in thread
From: Henning Schild @ 2021-04-28 17:22 UTC (permalink / raw)
  To: Moessbauer, Felix (T RDA IOT SES-DE)
  Cc: isar-users, Kiszka, Jan (T RDA IOT), Harald Seiler

Am Wed, 28 Apr 2021 14:21:38 +0200
schrieb "Moessbauer, Felix (T RDA IOT SES-DE)"
<felix.moessbauer@siemens.com>:

> Hi,
> 
> While this patch definitely improves the situation, there are still a
> couple of issues:
> 
> 1. Reinstalling:
> When apt-get updating the package, the host's ssh-keys are removed.
> IMO it would be better to create a backup in the pre-rm step and
> restore that in postinst. An alternative would be, to remove the ssh
> keys using ISAR in a post-processing step. Then no postinst script is
> required (that's similar to how the sshd-keygen@.service in fedora
> works).

Good catch! I will try to make something up. Problem with a backup is
that we do not want that backup on the first install, but with the
pre-rm you suggested it might just work.
The postprocess would be a clean way as well, but that would need to be
conditional if the package is installed. Because the systemd units will
not generate keys if missing and sshd will not come up. But i think
that can be done and is better than the backup cycle.

> 2. Systemd dependencies:
> It has to run as early as possible and anyways before the
> sshd-service. On some systems like fedora, there is already a
> sshd-keygen@.service that takes care of re-generating the keys if
> they are not present (as part of the openssh-server package). We
> should conflict on that, or better auto-disable in case this service
> is installed. I don't know if Debian plans to add something similar.

I guess you mean that sshd-regen-keys.service needs to finish for sure
before ssh@.service comes up. That seems to missing as you say, thanks!
A systemd dep would be the way to go, we failed with enable/disable
stuff before.

> 3. Compatibility with upstream
> If more distros accept the sshd-keygen service approach, we do not
> want to diverge here. Maybe, it would be better to just port this
> approach to Debian / ISAR and deploy images without pre-installed
> ssh-keys.

That in fact sound like the most promising way to go, but also the
hardest. If debian would simply "generate if missing" and not "generate
at install time" that would be it. I think they did that in init
scripts before systemd became a thing.

One more thing we discussed internally is "cloud-init". That solves the
same problem and is packaged in debian. In fact it might address more
that might be relevant for images that get distributed to many
machines. But we also found that it is kind of heavy, pulling in
python3 and libs.

At the moment i have no clue how to proceed and will need to think
about it. I would say that "apt-get update" is maybe not something that
most Isar users want to use. We also have severe kernel update issues
with our wic, where at least legacy is affected and kernel updates will
not work. Not a nice situation ... but it takes the pressure out of
this one a bit.

Anyone feel free to discuss further to help out.

regards,
Henning

> Best regards,
> Felix
> 
> > -----Original Message-----
> > From: isar-users@googlegroups.com <isar-users@googlegroups.com> On
> > Behalf Of [ext] Henning Schild
> > Sent: Tuesday, March 30, 2021 12:17 PM
> > To: isar-users <isar-users@googlegroups.com>
> > Cc: Kiszka, Jan (T RDA IOT) <jan.kiszka@siemens.com>; Harald Seiler
> > <hws@denx.de>; Schild, Henning (T RDA IOT SES-DE)
> > <henning.schild@siemens.com>
> > Subject: [PATCH v2] sshd-regen-keys: Improve service, make more
> > robust
> >
> > Switch to using "/usr/bin/ssh-keygen -A" instead of
> > dpkg-reconfigure. With this we would generate new host keys every
> > time the service starts and no keys exist. Removing the keys from
> > openssh-server in a postinst makes it complete so that we really
> > only generate on the first boot.
> >
> > This is easier to handle that reusing the debian package hooks for
> > key generation.
> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  .../sshd-regen-keys/files/postinst            |  2 ++
> >  .../files/sshd-regen-keys.service             |  4 +---
> >  .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
> >  delete mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-
> > keys_0.3.bb create mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen- keys_0.4.bb
> >
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> > b/meta/recipes-support/sshd-regen-keys/files/postinst
> > index ae722a7349a2..1c9b03e3e040 100644
> > --- a/meta/recipes-support/sshd-regen-keys/files/postinst
> > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> > @@ -1,4 +1,6 @@
> >  #!/bin/sh
> >  set -e
> >
> > +rm /etc/ssh/ssh_host_*_key*
> > +
> >  systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-
> > support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-
> > support/sshd-regen-keys/files/sshd-regen-keys.service index
> > f50d34c820d8..af98d5e9e966 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc  [Service]
> > Type=oneshot RemainAfterExit=yes
> > -Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/usr/sbin/sshd-regen-keys.sh
> > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog
> > StandardError=syslog
> >
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > deleted file mode 100644 index 910d879ba51f..000000000000
> > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > +++ /dev/null
> > @@ -1,20 +0,0 @@
> > -#!/usr/bin/env sh
> > -
> > -echo -n "SSH server is "
> > -if systemctl is-enabled ssh; then
> > -    SSHD_ENABLED="true"
> > -    systemctl disable --no-reload ssh
> > -fi
> > -
> > -echo "Removing keys ..."
> > -rm -v /etc/ssh/ssh_host_*_key*
> > -
> > -echo "Regenerating keys ..."
> > -dpkg-reconfigure openssh-server
> > -
> > -if test -n $SSHD_ENABLED; then
> > -    echo "Reenabling ssh server ..."
> > -    systemctl enable --no-reload ssh
> > -fi
> > -
> > -sync
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > deleted file mode 100644 index 6f12414239a3..000000000000
> > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > +++ /dev/null
> > @@ -1,17 +0,0 @@
> > -# This software is a part of ISAR.
> > -inherit dpkg-raw
> > -
> > -DESCRIPTION = "Systemd service to regenerate sshd keys"
> > -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > -DEBIAN_DEPENDS = "openssh-server, systemd"
> > -
> > -SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service \
> > -           file://sshd-regen-keys.sh"
> > -
> > -do_install[cleandirs] = "${D}/lib/systemd/system \
> > -                         ${D}/usr/sbin"
> > -do_install() {
> > -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd- regen-keys.sh"
> > -}
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> > file mode 100644 index 000000000000..9ce1d8d88300
> > --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > @@ -0,0 +1,14 @@
> > +# This software is a part of ISAR.
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Systemd service to regenerate sshd keys"
> > +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > +DEBIAN_DEPENDS = "openssh-server, systemd"
> > +
> > +SRC_URI = "file://postinst \
> > +           file://sshd-regen-keys.service"
> > +
> > +do_install() {
> > +    install -d -m 0755 "${D}/lib/systemd/system"
> > +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > +}
> > --
> > 2.26.3
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "isar-users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to isar-users+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.g
> > oogle.com%2Fd%2Fmsgid%2Fisar-users%2F20210330101722.10371-1-
> > henning.schild%2540siemens.com&amp;data=04%7C01%7Cfelix.moessbauer%4
> > 0siemens.com%7Ccf1624cf55db4c9c706708d8f36509a3%7C38ae3bcd95794fd4
> > addab42e1495d55a%7C1%7C0%7C637526962559188131%7CUnknown%7CTWF
> > pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> > Mn0%3D%7C1000&amp;sdata=bM6bgFd1Yq4Vo2tMGrR7GHzRWgSAQMB90vu
> > %2BHOa2eZ4%3D&amp;reserved=0.  


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-03-30 10:17 [PATCH v2] sshd-regen-keys: Improve service, make more robust Henning Schild
                   ` (2 preceding siblings ...)
  2021-04-28 12:21 ` Moessbauer, Felix
@ 2021-11-18 11:10 ` Gylstorff Quirin
  2021-11-18 12:55   ` Henning Schild
  3 siblings, 1 reply; 8+ messages in thread
From: Gylstorff Quirin @ 2021-11-18 11:10 UTC (permalink / raw)
  To: [ext] Henning Schild, isar-users; +Cc: Jan Kiszka, Harald Seiler



On 3/30/21 12:17 PM, [ext] Henning Schild wrote:
> Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure.
> With this we would generate new host keys every time the service starts
> and no keys exist. Removing the keys from openssh-server in a postinst
> makes it complete so that we really only generate on the first boot.
> 
> This is easier to handle that reusing the debian package hooks for key
> generation.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   .../sshd-regen-keys/files/postinst            |  2 ++
>   .../files/sshd-regen-keys.service             |  4 +---
>   .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20 -------------------
>   .../sshd-regen-keys/sshd-regen-keys_0.3.bb    | 17 ----------------
>   .../sshd-regen-keys/sshd-regen-keys_0.4.bb    | 14 +++++++++++++
>   5 files changed, 17 insertions(+), 40 deletions(-)
>   delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>   delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
>   create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst
> index ae722a7349a2..1c9b03e3e040 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/postinst
> +++ b/meta/recipes-support/sshd-regen-keys/files/postinst
> @@ -1,4 +1,6 @@
>   #!/bin/sh
>   set -e
>   
> +rm /etc/ssh/ssh_host_*_key*
> +
>   systemctl enable sshd-regen-keys.service
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index f50d34c820d8..af98d5e9e966 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc
>   [Service]
>   Type=oneshot
>   RemainAfterExit=yes
> -Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/usr/sbin/sshd-regen-keys.sh
> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service

Is it intended that it now runs on every boot?

Quirin

> +ExecStart=/usr/bin/ssh-keygen -A
>   StandardOutput=syslog
>   StandardError=syslog
>   
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> deleted file mode 100644
> index 910d879ba51f..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -#!/usr/bin/env sh
> -
> -echo -n "SSH server is "
> -if systemctl is-enabled ssh; then
> -    SSHD_ENABLED="true"
> -    systemctl disable --no-reload ssh
> -fi
> -
> -echo "Removing keys ..."
> -rm -v /etc/ssh/ssh_host_*_key*
> -
> -echo "Regenerating keys ..."
> -dpkg-reconfigure openssh-server
> -
> -if test -n $SSHD_ENABLED; then
> -    echo "Reenabling ssh server ..."
> -    systemctl enable --no-reload ssh
> -fi
> -
> -sync
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> deleted file mode 100644
> index 6f12414239a3..000000000000
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -# This software is a part of ISAR.
> -inherit dpkg-raw
> -
> -DESCRIPTION = "Systemd service to regenerate sshd keys"
> -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> -DEBIAN_DEPENDS = "openssh-server, systemd"
> -
> -SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service \
> -           file://sshd-regen-keys.sh"
> -
> -do_install[cleandirs] = "${D}/lib/systemd/system \
> -                         ${D}/usr/sbin"
> -do_install() {
> -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
> -}
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> new file mode 100644
> index 000000000000..9ce1d8d88300
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> @@ -0,0 +1,14 @@
> +# This software is a part of ISAR.
> +inherit dpkg-raw
> +
> +DESCRIPTION = "Systemd service to regenerate sshd keys"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "openssh-server, systemd"
> +
> +SRC_URI = "file://postinst \
> +           file://sshd-regen-keys.service"
> +
> +do_install() {
> +    install -d -m 0755 "${D}/lib/systemd/system"
> +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +}
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] sshd-regen-keys: Improve service, make more robust
  2021-11-18 11:10 ` Gylstorff Quirin
@ 2021-11-18 12:55   ` Henning Schild
  0 siblings, 0 replies; 8+ messages in thread
From: Henning Schild @ 2021-11-18 12:55 UTC (permalink / raw)
  To: Gylstorff Quirin; +Cc: isar-users, Jan Kiszka, Harald Seiler

Am Thu, 18 Nov 2021 12:10:04 +0100
schrieb Gylstorff Quirin <quirin.gylstorff@siemens.com>:

> On 3/30/21 12:17 PM, [ext] Henning Schild wrote:
> > Switch to using "/usr/bin/ssh-keygen -A" instead of
> > dpkg-reconfigure. With this we would generate new host keys every
> > time the service starts and no keys exist. Removing the keys from
> > openssh-server in a postinst makes it complete so that we really
> > only generate on the first boot.
> > 
> > This is easier to handle that reusing the debian package hooks for
> > key generation.
> > 
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >   .../sshd-regen-keys/files/postinst            |  2 ++
> >   .../files/sshd-regen-keys.service             |  4 +---
> >   .../sshd-regen-keys/files/sshd-regen-keys.sh  | 20
> > ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb    |
> > 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb    |
> > 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-)
> >   delete mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > delete mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create
> > mode 100644
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > 
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst
> > b/meta/recipes-support/sshd-regen-keys/files/postinst index
> > ae722a7349a2..1c9b03e3e040 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/postinst +++
> > b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6
> > @@ #!/bin/sh
> >   set -e
> >   
> > +rm /etc/ssh/ssh_host_*_key*
> > +
> >   systemctl enable sshd-regen-keys.service
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index f50d34c820d8..af98d5e9e966 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service]
> > Type=oneshot RemainAfterExit=yes
> > -Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/usr/sbin/sshd-regen-keys.sh
> > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service  
> 
> Is it intended that it now runs on every boot?

Yes. But only the first one will really do something, the others will
end up as noop.

Henning

> Quirin
> 
> > +ExecStart=/usr/bin/ssh-keygen -A
> >   StandardOutput=syslog
> >   StandardError=syslog
> >   
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > deleted file mode 100644 index 910d879ba51f..000000000000 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
> > /dev/null @@ -1,20 +0,0 @@
> > -#!/usr/bin/env sh
> > -
> > -echo -n "SSH server is "
> > -if systemctl is-enabled ssh; then
> > -    SSHD_ENABLED="true"
> > -    systemctl disable --no-reload ssh
> > -fi
> > -
> > -echo "Removing keys ..."
> > -rm -v /etc/ssh/ssh_host_*_key*
> > -
> > -echo "Regenerating keys ..."
> > -dpkg-reconfigure openssh-server
> > -
> > -if test -n $SSHD_ENABLED; then
> > -    echo "Reenabling ssh server ..."
> > -    systemctl enable --no-reload ssh
> > -fi
> > -
> > -sync
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
> > deleted file mode 100644 index 6f12414239a3..000000000000 ---
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++
> > /dev/null @@ -1,17 +0,0 @@
> > -# This software is a part of ISAR.
> > -inherit dpkg-raw
> > -
> > -DESCRIPTION = "Systemd service to regenerate sshd keys"
> > -MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > -DEBIAN_DEPENDS = "openssh-server, systemd"
> > -
> > -SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service \
> > -           file://sshd-regen-keys.sh"
> > -
> > -do_install[cleandirs] = "${D}/lib/systemd/system \
> > -                         ${D}/usr/sbin"
> > -do_install() {
> > -    install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > -    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd-regen-keys.sh" -}
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new
> > file mode 100644 index 000000000000..9ce1d8d88300 --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> > @@ -0,0 +1,14 @@
> > +# This software is a part of ISAR.
> > +inherit dpkg-raw
> > +
> > +DESCRIPTION = "Systemd service to regenerate sshd keys"
> > +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > +DEBIAN_DEPENDS = "openssh-server, systemd"
> > +
> > +SRC_URI = "file://postinst \
> > +           file://sshd-regen-keys.service"
> > +
> > +do_install() {
> > +    install -d -m 0755 "${D}/lib/systemd/system"
> > +    install -m 0644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service" +}
> >   


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-11-18 12:55 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-30 10:17 [PATCH v2] sshd-regen-keys: Improve service, make more robust Henning Schild
2021-04-08  8:24 ` Anton Mikanovich
2021-04-08  8:50   ` Jan Kiszka
2021-04-08 10:02 ` Anton Mikanovich
2021-04-28 12:21 ` Moessbauer, Felix
2021-04-28 17:22   ` Henning Schild
2021-11-18 11:10 ` Gylstorff Quirin
2021-11-18 12:55   ` Henning Schild

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox