From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6943578040844681216 X-Received: by 2002:a2e:a60a:: with SMTP id v10mr8855945ljp.267.1616751882802; Fri, 26 Mar 2021 02:44:42 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6512:6c2:: with SMTP id u2ls219868lff.3.gmail; Fri, 26 Mar 2021 02:44:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy1czhI86VrpyRipC9sX/x5Y8WFhqrLD3mFhWmX4sSiltNlZJVrSHw04fuMNkSyPsWT10U5 X-Received: by 2002:ac2:4474:: with SMTP id y20mr8190788lfl.230.1616751881788; Fri, 26 Mar 2021 02:44:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616751881; cv=none; d=google.com; s=arc-20160816; b=Ku3juYmcmL27Wdn5diOjqJrBxFRrqlPrj+gAcM6Li8YumfRNbhVA1qhDzpHkBSslcd EPuSn5/uFO7LthQl5PJISgdMvTBd0klnpELMpWpViAP2M1KpPVrM0Vw9nunCVf2BTcvP lPFfnsEG0b5TKiJhsFhWx7CbpSF4EFGRHqbvcz4z1KWql79EoYsxQrzjKFSmwjnuNc/d AeO1D9m8+OjV5/Z/xL5Gbflswb4PGMtpV6O9aKmRPm26uNxhQPl0fuX7YwxczlUirxXD oWsa9axEuzAcvghil2nkHqZpiGOoavxPT5+RnY/IpeGh0n+yv7UanfmJoWHgFqlE8GSG 0ZKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:date:cc:to:from:subject:message-id; bh=TRfW/Rizj+XFw6oK5dFaZgr/gDHOLbGfE3YLrQ/ezDM=; b=G29dskQGAasg0PiGGm3TUDjx3jYpbrzId1mVQF1Bv0h4IBQDhz28zuGgVZ4eHfNqQK tpVblynoeiR5C4O0tCNhfrYKP+SueooLxZlSZ4C6rBcLjOcypmABwBIV7gasIRON/l25 rYKfj8bjKah/ehTzsk9N/ZWRDqA+l5DGsQI1Ft/sLSzKItc+bLJqlsNsO2eQHLuCgFYS ttIrkaVreV+/41QOQ5rXJJxHZPJFtCqhDB6KEq+VVokenKmlm084M2lXvDqBbMmQegpb 7OYZDEufCgslPd3axRf6xslPiAlkWJFQAkY95kpQJZfXp+0rBxK6p6nxHGoNvzFPjk0Q widA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9]) by gmr-mx.google.com with ESMTPS id h2si309739lja.3.2021.03.26.02.44.41 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 02:44:41 -0700 (PDT) Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) client-ip=212.18.0.9; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of hws@denx.de) smtp.mailfrom=hws@denx.de Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4F6HBK1kWHz1qt41; Fri, 26 Mar 2021 10:44:41 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 4F6HBK1PRjz1t6pt; Fri, 26 Mar 2021 10:44:41 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id vIca1uktZYee; Fri, 26 Mar 2021 10:44:40 +0100 (CET) X-Auth-Info: 9cjwwZ9dOOp9h0zUWM3cyD+ikXOhUMAoi5KxxAwjEJQ= Received: from [10.0.40.1] (p578adb1c.dip0.t-ipconnect.de [87.138.219.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Fri, 26 Mar 2021 10:44:39 +0100 (CET) Message-ID: Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust From: Harald Seiler To: Henning Schild , isar-users Cc: Jan Kiszka Date: Fri, 26 Mar 2021 10:44:39 +0100 In-Reply-To: <20210326081108.26648-1-henning.schild@siemens.com> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> <20210326081108.26648-1-henning.schild@siemens.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.4 (3.38.4-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: Io2gtE6PrAIB Hi, On Fri, 2021-03-26 at 09:11 +0100, Henning Schild wrote: > Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. > With this we would generate new host keys every time the service starts > and no keys exist. Removing the keys from openssh-server in a postinst > makes it complete so that we really only generate on the first boot. > > This is easier to handle that reusing the debian package hooks for key > generation. Yes, this is a _much_ more robust solution, I agree. The debian hooks were a mess to deal with and we had so many edge cases over time that not relying on them here is a much better choice. This also means the package would now work on a target where dpkg was removed for size constraints. > Signed-off-by: Henning Schild > --- >  .../sshd-regen-keys/files/postinst | 2 ++ >  .../files/sshd-regen-keys.service | 4 +--- >  .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- >  .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- >  .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ >  5 files changed, 17 insertions(+), 40 deletions(-) >  delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh >  delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb >  create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > > diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst > index ae722a7349a2..1c9b03e3e040 100644 > --- a/meta/recipes-support/sshd-regen-keys/files/postinst > +++ b/meta/recipes-support/sshd-regen-keys/files/postinst > @@ -1,4 +1,6 @@ >  #!/bin/sh >  set -e >   > > +rm /etc/ssh/ssh_host_*_key* > + Just to make sure, this will always run after the openssh-server postinst which initially generates the keys? >  systemctl enable sshd-regen-keys.service > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > index f50d34c820d8..af98d5e9e966 100644 > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc >  [Service] >  Type=oneshot >  RemainAfterExit=yes > -Environment=DEBIAN_FRONTEND=noninteractive > -ExecStart=/usr/sbin/sshd-regen-keys.sh > -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service > +ExecStart=/usr/bin/ssh-keygen -A >  StandardOutput=syslog >  StandardError=syslog This is also much cleaner because it no longer relies on the "self disabling service hack". Much preferred! Not sure if worth it, because ssh-keygen already ignores existing keys, but maybe we could add some ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key (== systemd will skip the unit if all keys are present). This would also hide the service in the startup log when all keys exist where it would otherwise show up unconditionally. > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > deleted file mode 100644 > index 910d879ba51f..000000000000 > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > +++ /dev/null > @@ -1,20 +0,0 @@ > -#!/usr/bin/env sh > - > -echo -n "SSH server is " > -if systemctl is-enabled ssh; then > - SSHD_ENABLED="true" > - systemctl disable --no-reload ssh > -fi > - > -echo "Removing keys ..." > -rm -v /etc/ssh/ssh_host_*_key* > - > -echo "Regenerating keys ..." > -dpkg-reconfigure openssh-server > - > -if test -n $SSHD_ENABLED; then > - echo "Reenabling ssh server ..." > - systemctl enable --no-reload ssh > -fi > - > -sync > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > deleted file mode 100644 > index 6f12414239a3..000000000000 > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb > +++ /dev/null > @@ -1,17 +0,0 @@ > -# This software is a part of ISAR. > -inherit dpkg-raw > - > -DESCRIPTION = "Systemd service to regenerate sshd keys" > -MAINTAINER = "isar-users " > -DEBIAN_DEPENDS = "openssh-server, systemd" > - > -SRC_URI = "file://postinst \ > - file://sshd-regen-keys.service \ > - file://sshd-regen-keys.sh" > - > -do_install[cleandirs] = "${D}/lib/systemd/system \ > - ${D}/usr/sbin" > -do_install() { > - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" > - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" > -} > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > new file mode 100644 > index 000000000000..8b1cd8d4aba0 > --- /dev/null > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb > @@ -0,0 +1,14 @@ > +# This software is a part of ISAR. > +inherit dpkg-raw > + > +DESCRIPTION = "Systemd service to regenerate sshd keys" > +MAINTAINER = "isar-users " > +DEBIAN_DEPENDS = "openssh-server, systemd" > + > +SRC_URI = "file://postinst \ > + file://sshd-regen-keys.service" > + > +do_install() { > + install -m 0755 "${D}/lib/systemd/system" > + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" > +} > -- > 2.26.3 Otherwise: Reviewed-by: Harald Seiler -- Harald