From patchwork Thu Mar 25 02:54:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 386 Return-Path: Delivered-To: ilbers.mnt@gmail.com Received: by 2002:a4a:378f:0:0:0:0:0 with SMTP id r137csp330970oor; Thu, 25 Mar 2021 06:09:05 -0700 (PDT) X-Received: by 2002:a1c:bc82:: with SMTP id m124mr7955893wmf.118.1616677745375; Thu, 25 Mar 2021 06:09:05 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1616677745; cv=pass; d=google.com; s=arc-20160816; b=NPxOsQ0guwemwBKW3NjMjjxwJDaWlSFBFu1Su+NsgR1Zr6QnX4dPRpC60phAcIppRx guCuQBGIpTLlL3WLVkSLIfNjtY9fpYOYsgunZGHVrr9gKFO1sMcBeXrEh1hm3MIdYeGo EC5ECwB9+VBbVZXGiCSdhBB20eezqi0dBUzqOvTwT69AVIqQz9pTOyJvREzdBdpXbD6W 4OSKDYPx0maoqlQCKv8vPAp8MX9xevhZpCTo0VU6dB3/T3xsQBPBTQiJk/IT2muVWjpl agIVBMINhtSTqyiR4poJtlpV6B0eGKEBh01LySn8+P7GjcYG5iJ2fKPa29a8jgiuat+r Jy0A== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-language:mime-version :user-agent:date:message-id:cc:to:subject:from:sender:dkim-signature; bh=j9MjtO1XHHVODOxHS6bTO+UXaipJJ/cfA8IeJe2VqL8=; b=AvQrYd4cdHTMHVCmYvHbBv0H0R6ZbF1GDfG2nxsgmfO2KD9a0k/Xp1FzpAWMnzgj4F 6ffDMTRg/RkMk9IeknWFBOXlyBaY/hjvHx7jtnwFG3nEORmZpd9gBWTNPSuPgAawiAFe VnDMFLuZSp56tfOgUFcvh7WKg2J7CcKYiu85vlaDS0c2x8KHD8oS4k6s5oFuQwlAOD0k sjn6OvTAV03xJPlzGT4S0fK5/Tlz/VKQkXvCgEe0oSr1It/+oen60+SuaIhgTjyaNuGj 0ZRxBqPii+aiRX6nNJv/xMK2ZvOFGbDeOAEIefydU199StYUOGZ6ySiOL6OhPEImCHdQ f2Bg== ARC-Authentication-Results: i=3; mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b=UZn4Av2b; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbcji7smnv4nbb4ew6kbamgqepti5rqi@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBCJI7SMNV4NBB4EW6KBAMGQEPTI5RQI@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com Received: from mail-sor-f55.google.com (mail-sor-f55.google.com. [209.85.220.55]) by mx.google.com with SMTPS id z2sor2996144wru.63.2021.03.25.06.09.04 (Google Transport Security); Thu, 25 Mar 2021 06:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of isar-users+bncbcji7smnv4nbb4ew6kbamgqepti5rqi@googlegroups.com designates 209.85.220.55 as permitted sender) client-ip=209.85.220.55; Authentication-Results: mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b=UZn4Av2b; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbcji7smnv4nbb4ew6kbamgqepti5rqi@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBCJI7SMNV4NBB4EW6KBAMGQEPTI5RQI@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com ARC-Seal: i=2; a=rsa-sha256; t=1616677744; cv=pass; d=google.com; s=arc-20160816; b=E+lL63doKv3H+113Ug5Lsw7qOz3/rYhjO0RWe6EN1xozTBcVurJN2O0KNS6HwFTYb8 uSzVLSDCYnG4c54ma+pT3zWOrJTXRC0uuz6ex4Im/vgKjrixBWcXkyNt6CHW3RLw3Wz9 Tt67YfwnODz7e3R6l3/5YXenFn2oqr/0IESgjYpvBsuaq9GtI1+9b2vgtaMjh/ugKYdi O709TrTnKvqjFfNil6L3dFmF0ygYFl2oAnCpM0ZLNvwsTk3VH7fGjhYYlBMbiDU8v8uT Di+55uQWW2sUzYr9MKrGOp3QBQdLciNf6pzktg+qECAJVshLfRxTz5Z2wh5C8i3efAqM aS4A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-language:mime-version :user-agent:date:message-id:cc:to:subject:from:sender:dkim-signature; bh=j9MjtO1XHHVODOxHS6bTO+UXaipJJ/cfA8IeJe2VqL8=; b=TWpDEoe88NEhmWTufTHeR5mjnYQJPoLaCD5TpuCcsKvOgeFNUHJ9Nvz+V7X1Qbxw+L K03uX1lAjKs4mvRPYdkZhJxpvCttSLjE9sRNkYuUipDfS97EDclyK1344remJhb6EQTF ZqMxGYpG+npaXPWclWXWl1YfcykIi9boMssYVBsIJl6CMit2/6IrkWi7VmgI1wKqFG9x LUj4NmOPpsHtvehkkFrl2Ks8JalazePw6wQuGmhF9Vl9IsJDCh1h3PVlqm/08yHYdkJn fawch5VMpD7hnJirQmtDZuzeiyMN9AvPQJILeJ/uo2tiaJvWxI/EJwjOie1JR3pqo//w Fwwg== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:subject:to:cc:message-id:date:user-agent:mime-version :content-language:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-subscribe:list-unsubscribe; bh=j9MjtO1XHHVODOxHS6bTO+UXaipJJ/cfA8IeJe2VqL8=; b=UZn4Av2bUp0K9jwkmjvoxWqvHJo2zrvdFAkdhGQ15DDQTRoY1mTdTdVl2nIJ0iFQbP mnfcIqTfHDf6ERMzI0OM+HQW8WPt4NdG6v9cQwZ3ZA4vFargvmK+o7pAUOsPzXVSoWVY lHTeT57lR2NS65RRyZJtKiolxc8XRaHSai+8GPkDBwXmlIB8dU9jcLPwOtV4UWmmFrbD JJtObqVLtxp9FnM0EyWFpB1UYSmRM4NOeAuzxdCV6jbf4oDP5ptlVJ2V0klPGThigpYr jM6z8L9J5upUBUdLcsP5atdvQ/40p4aVCZlkZtgYZlNDxqBblZxY7DgrtELCwWC5ZPeZ wJqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:subject:to:cc:message-id:date :user-agent:mime-version:content-language:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=j9MjtO1XHHVODOxHS6bTO+UXaipJJ/cfA8IeJe2VqL8=; b=Nu/2KL0T4jRBFVLwAAfuCkMuVS08F1QjdCpSlX1myFbC/AjxSHO0A8cIaoqDWBJUZq PWmzWKvcmyKpBNflgVdmP4MTjuHlw8kiNPNCat7JvjAjuVQ5ItvksXc4+7Tsdjqr+1hd VaJRBw1cT04LzzyU0GEXQTDVsmoxwDjXQEBEXFttLVUrIECGQ1j823slsm0rsZUxojEJ 2ZOidIJUfVRUyA6UMPygPU7mw7HNTlYibppJTTOfDTaS5kRGFjfkHSsGgRIr+cX0+YZu PJ97kVtL6fbghPn5ZhS8OZqOUxc0d4zPdX2XQKswx8l3li4SrTLJCr9WjKbbJDWvY15+ D7TA== Sender: isar-users@googlegroups.com X-Gm-Message-State: AOAM531ayQJ6AH/yn71WFrSBpCJKrPEePgdFHVjFF/7fMxucSs9FEG/A N76NoZaJ3VmH7FFt3KpSSX4= X-Google-Smtp-Source: ABdhPJxQzz1jUZsV2GdHSG84LCA/0IOSBKszmOKIT/O8+ldoleXYsHSsZppthw7jh40jeDg9U285uw== X-Received: by 2002:a5d:6312:: with SMTP id i18mr9022278wru.149.1616677744837; Thu, 25 Mar 2021 06:09:04 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:6a89:: with SMTP id s9ls4305479wru.2.gmail; Thu, 25 Mar 2021 06:09:04 -0700 (PDT) X-Received: by 2002:adf:eec9:: with SMTP id a9mr8937666wrp.252.1616677743933; Thu, 25 Mar 2021 06:09:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616677743; cv=none; d=google.com; s=arc-20160816; b=x+/849as5SYbtay4HejjMIH/Zelcc5homwyTK77HJ4QjbGiHbd1iKm8QJWZuM+870w nuYOQaXb7odksvhCgBA7y6A33tqJE3oujAiOp+BE9oZ//RrHx3tszIaZuq0MpFVF+tlU IItfQwbZB27SmSc0YcIkek/JgF1NjFxZqvHnWK3L5VvHpZeqDXuf/xfnYPRgirxOce/E ab2GSoowp2OYYQ7X0mYY8bmqRQh8meBcz5LTO9gu4sWoEHPk/Qi67s9GyZHNdBNR6UDM +jP9arFIFp361/w/zcPJYRvxZLtx5wlIQ9veE4xC2pM6aVJHK0lkaOSQ0YWHWV0NV8gj q6gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:mime-version:user-agent :date:message-id:cc:to:subject:from; bh=eacX96mZGE9P+U3hAiceGExhRJNyh65uQvrqzV2QrPw=; b=cCVybxLHYuyfvpyi+I54YGB/cJ9YUBfst1HgfJlVaFZq6YJV7rxrRWWPY2CfU1I729 YLL+1LsANnqAH256a9y7HJDcLpL08S4coEIwgB007T+T+ukkA4SWlfK9vVB8x4Qrejag K7VPpmjmTiNGYaoxKciEKekLg5oxmHlgPiXuEbqWenSs/PnO3jnmi4TnTq477AVCMs5v 4XcuAjyno18w2hOMmQIIpSj6PNF2yrioAzxBnmvWRLTT1ce3wJ1Bx6MKZHEjPDWDO+EP 4+NefhbNpnE0gW+URDbr6r6oMHBrPPYqgCspn+JeZFBHMnpI+Pcs7jc8XrdHlRBty8R+ UElQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id y12si202241wrw.3.2021.03.25.06.09.03 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Mar 2021 06:09:03 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12PD938v025961 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 25 Mar 2021 14:09:03 +0100 Received: from [139.22.38.170] ([139.22.38.170]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12PCs2f6016156; Thu, 25 Mar 2021 13:54:03 +0100 From: Jan Kiszka Subject: [PATCH] sshd-regen-keys: Improve service, make more robust To: isar-users Cc: Quirin Gylstorff , Henning Schild Message-ID: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> Date: Thu, 25 Mar 2021 13:54:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Language: en-US X-Original-Sender: jan.kiszka@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1695209483470897120?= X-GMAIL-MSGID: =?utf-8?q?1695209483470897120?= From: Jan Kiszka This improves a number of things: - stop the service while regenerating keys, rather than disabling its auto-start - fix restart test condition - also check that /tmp is writable (better safe than sorry) - do not disabling the regen service if it was not successful Signed-off-by: Jan Kiszka --- This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh server if previously disabled". .../sshd-regen-keys/files/sshd-regen-keys.service | 2 +- .../sshd-regen-keys/files/sshd-regen-keys.sh | 14 ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} | 0 3 files changed, 9 insertions(+), 7 deletions(-) rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} (100%) diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c8..e7142e69 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -5,13 +5,13 @@ Conflicts=shutdown.target After=systemd-remount-fs.service Before=shutdown.target ssh.service ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp [Service] Type=oneshot RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index 910d879b..9b19f9d3 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@ -1,9 +1,9 @@ #!/usr/bin/env sh echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh +if systemctl is-active ssh; then + SSHD_ACTIVE="true" + systemctl stop ssh fi echo "Removing keys ..." @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key* echo "Regenerating keys ..." dpkg-reconfigure openssh-server -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh +if test -n "$SSHD_ACTIVE"; then + echo "Restarting ssh server ..." + systemctl start ssh fi +systemctl disable sshd-regen-keys.service + sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb similarity index 100% rename from meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb