From patchwork Thu Mar 25 22:11:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Henning Schild X-Patchwork-Id: 387 Return-Path: Delivered-To: ilbers.mnt@gmail.com Received: by 2002:a4a:378f:0:0:0:0:0 with SMTP id r137csp1022191oor; Fri, 26 Mar 2021 01:26:15 -0700 (PDT) X-Received: by 2002:ac2:52b9:: with SMTP id r25mr7752749lfm.25.1616747174911; Fri, 26 Mar 2021 01:26:14 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1616747174; cv=pass; d=google.com; s=arc-20160816; b=wh6mwyouE5zGGEdAV4ugTTRBbbiX5kDDbhDjMxI+vzjcaMhUm4KtJYs6ASwnkfVze6 Esyi4VKLb8JidFmBxTvSUMVFiZj5FnksA5dkmCOq9JN9DdXxiJeLt7xGz83ukd9iExPJ W2bk+PSE4yohcDHoi0oju1b1C9F/3ZdDh3hRW42SDmJpUbjbOZ2xgG70Wvtg5vDe572l DSrhplSk/kbtOYr+CWLTR9WVONQG0Jk6+jFld2GkYrsOBkG9WlNp9ojQQ9gnBEsLI6mO XDTZTUtbELaPoAgDmqC5VY+VVCa9ThkAZkH8TIG36muWgSWyiSCWS/jeSxssXnzWWfuK +rww== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=e1iQGH7KX2CbtiaKenz6fAo3Swppmc5ZT3M2q5EvFnE=; b=jEe/La11fWv5iSrqGioV3BniAGubipCiXpDaTCAA5RgHDpNNgR/hFgKMZjkYOMDmpg e8LGHTz2T5Bxqwr6YiOzoeS20X6WmipHMY0VjJ5n2H+N9cRm/1i1O8U/a52X0p1W9FWL Iq6YTpd5TWkKh7ajf7qDbI9VbhoZjYPwx/kbNAO0e7uFfGoTTnH6X9s1VM57CHkZZHS0 06d43lq1hqAJ+Qkes93EymygO0jCaOhyhE3uqWSzuCdGD5poVsYxzlUUbBEvBCcYXElY +iqo6Ipn5Rm90ThOfLJKpY4bBNYUubja5JRXbi67Xfy9kt53yQsxIIrIosNojcn/CXcR U5eQ== ARC-Authentication-Results: i=3; mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b=NHRsGDQp; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbjvv62bamgqeykhis4i@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBDJMJPGY2MGRBJVV62BAMGQEYKHIS4I@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com Received: from mail-sor-f55.google.com (mail-sor-f55.google.com. [209.85.220.55]) by mx.google.com with SMTPS id o5sor2079456lfi.35.2021.03.26.01.26.14 (Google Transport Security); Fri, 26 Mar 2021 01:26:14 -0700 (PDT) Received-SPF: pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbjvv62bamgqeykhis4i@googlegroups.com designates 209.85.220.55 as permitted sender) client-ip=209.85.220.55; Authentication-Results: mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b=NHRsGDQp; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbjvv62bamgqeykhis4i@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBDJMJPGY2MGRBJVV62BAMGQEYKHIS4I@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com ARC-Seal: i=2; a=rsa-sha256; t=1616747174; cv=pass; d=google.com; s=arc-20160816; b=0/aRIvZ5XuCJ9A4dIhizcMIFsLucpNjFgifC+oPYfL/7bHl9OGCnyEINbudluxIqL9 LXtZHjM7fW+CR1ik94bBgMCm9VWEGxvousODyHCeDsSfZ3RU0Hl3Nl4GFyESa/4pPoCO Rwma4qokiIbRiTFA2Q9k37LQ7TFPOqun7bPQDlwRQUXFSPEap2jN7xht27XylQIp8LDB 4iM6dROT7qQizhDYlt6PqOKVbgDiVXXoA2VYDDtmjHgYnNGVkO+dLgEWCcvQdzSnoCni rQ9hgfByXOmLat1eEm3aIqc8JGccGjN8/Jq262iqP7ufIKAYuXEZYhZcal8BUoaVQJ2Z V7og== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=e1iQGH7KX2CbtiaKenz6fAo3Swppmc5ZT3M2q5EvFnE=; b=kBFsF1ekq37oEozsqUUiNOtabKKWvsuND/YNjPYKpDId15aPu4a5QvwvFLm4DKA7be Y7xw2PUI4L9UCtBRHaRh0KMXuuDhAJ2FQrlAeD2uRbbdkqoh1uyLwkCPlMUGNp+EOVL0 TA47YdqnWMOIMYrUZhJFNhX3gKmv8ovFCuw5KdnV4RBI2mRV5e45gZfUQSTsd4Ps4qIz RlwJhVySzPFdjwg3lCh0Qbt2RE3ANDPdaAO4tLhzrnywnCxRDLLYz2CEmzGh6w9JjMm6 cTudTOcMLut7oxxz4QxMt7YXaIhj66JTl2RxnAtpyUhhbEGsig8B6VAwm/gXoV/J9Amm xyiQ== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=e1iQGH7KX2CbtiaKenz6fAo3Swppmc5ZT3M2q5EvFnE=; b=NHRsGDQp16D0QXW9nuVsOu6zfn8y3oKEN7telGr0cOb4flOqP1mkfwQQrTZNOJhQ66 kLaQiM4loOVDcKExGoU+dtVyJLWeut8ylklXKTpCi9GOr6Hqr1elpWQTaco6Iw+iu/DS Hom0a8BezU3VHaexbAS9mVDw9vurhq1YhLn6BWXa+ltRy6noHCq0rBxGGoldEXIA2imH XWAaovD6cEIHEv04oB+9nyoOleUQllIhFMGjaksLHWaeNDg2wlNSFQ+wWVBOdb0w1UQ8 wkx634FfqGdEFXyNYjZVcCmWHLtDetP0yv6jZIti9trE/oOuujt4x2VSlfV0AzEkDhWo i7aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=e1iQGH7KX2CbtiaKenz6fAo3Swppmc5ZT3M2q5EvFnE=; b=BQzc52ZLYAsNh/n/3qpWKGLr11qGsvEndaovEsCvrMN1u4Zo8qm1uTNb/xel9tVlXi cEfL/RhIACDMoMhGUmEfChCL65SNNzkrnJfUiXmRPncW5rk7nC2cG49ChZ8BcJE/sjok P7f9j2WUHkBOCLXyEBJL0o8u2kja8ufXP2Ypeg/DKSYgNGtMqctiS/A3WKF0E5U63VeR ScPaGn9YGfeWJUTqpgYsdxO2uBNjObXY+rAIJB59CWE/Mdg6uKo3S8MY6XubkRs+q9tu 06r/N1+UGOBBrnx9x6egSFU4VeG97PN0rsRhKS+OVwsy6wk80VS4gNEcxirpMQLBdvuH bYHQ== Sender: isar-users@googlegroups.com X-Gm-Message-State: AOAM531fNQ5fptYGEzqz3Ww4HEQvRBpadJEKqs7chU63E1CPsrC3inKL 5K3hyUxKkLwL9mhhytoLD/E= X-Google-Smtp-Source: ABdhPJwEIC2+b/NWDPc21+urBBVAB/MX2O55yLqgoMgMWWL+cm6fKDtBPaVBr1gbY6aSXDcJu2QWRA== X-Received: by 2002:a19:607:: with SMTP id 7mr7608956lfg.433.1616747174593; Fri, 26 Mar 2021 01:26:14 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6512:3d16:: with SMTP id d22ls23943lfv.1.gmail; Fri, 26 Mar 2021 01:26:13 -0700 (PDT) X-Received: by 2002:a05:6512:3298:: with SMTP id p24mr7078911lfe.221.1616747173673; Fri, 26 Mar 2021 01:26:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616747173; cv=none; d=google.com; s=arc-20160816; b=QPKosbcJAgbxQ4WDnfKTxjBp/IIKNUn5XIkpLaTD6a0KDkquMh+3dkmPalpl7V9Zwv suAtvIcd7hdi29SEOyMh6ZwetiftvPy3hqDySsqRp8wKzGaIlVSXj2oPNmPfm653IU00 NJgmBx9UczQd6vQsEPkxj40M5BhWChcui4nY4yTXttni9V+YeeUeBh8qniYpInjtEMl3 FHAO17JJAKys971Mpi7PCaMzZB6Yr23395V+IyBOi0uKovH/MZfTvJ2xIfhf8Rt8BXud Bs/qV/DFPDKtewK2Upy+80nrEFPIbue/mxJokpzCFYufORMR4IoIaqyKVOPoDtb+kGSY MpmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=8fQa8PEr5eRoo5YF6zkFp+lfmw003Vf0aPgilerp70A=; b=PSDEWHALYJqukZ3LoP1HWXDqo0mUZuo4APUKgOSXzi/v8cCsn8bmaUBn83fHsiUY3N BSaGdqkb40XnQfqM4xaFHxk9QRDs4prljPVGuq/qupYYG+F8wlJGw4nTRtJKJJ5o0xzL C4kmJlIVG/2Qz0SvfrhGXyvVMD5aaVVB7NM6Jq0bryPuFHMGSUZC4nuukhOCOm/JFRZc JVoYLWXXpUiYCefOHNHtrOceiQHef2jSKdi1A9BqRuzr4DqfkgeS8OegjcSoUUtDMu8j Qw6zPrfxNwzvrE6ms1ZCFZIH8TDFhRFeoxh3kVTV6e3ifU8qaRgPQMRt9cfpKGPCy+ZX E6sA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id a10si309850lfs.11.2021.03.26.01.26.13 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 01:26:13 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12Q8QCgw019108 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 26 Mar 2021 09:26:12 +0100 Received: from localhost.localdomain ([167.87.42.23]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12Q8BCCi028525; Fri, 26 Mar 2021 09:11:12 +0100 From: Henning Schild To: isar-users Cc: Jan Kiszka , Henning Schild Subject: [PATCH] sshd-regen-keys: Improve service, make more robust Date: Fri, 26 Mar 2021 09:11:08 +0100 Message-Id: <20210326081108.26648-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.26.3 In-Reply-To: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com> MIME-Version: 1.0 X-Original-Sender: henning.schild@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1695209483470897120?= X-GMAIL-MSGID: =?utf-8?q?1695282285551389734?= Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. With this we would generate new host keys every time the service starts and no keys exist. Removing the keys from openssh-server in a postinst makes it complete so that we really only generate on the first boot. This is easier to handle that reusing the debian package hooks for key generation. Signed-off-by: Henning Schild Reviewed-by: Harald Seiler --- .../sshd-regen-keys/files/postinst | 2 ++ .../files/sshd-regen-keys.service | 4 +--- .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst index ae722a7349a2..1c9b03e3e040 100644 --- a/meta/recipes-support/sshd-regen-keys/files/postinst +++ b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@ #!/bin/sh set -e +rm /etc/ssh/ssh_host_*_key* + systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c820d8..af98d5e9e966 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive -ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh deleted file mode 100644 index 910d879ba51f..000000000000 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env sh - -echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh -fi - -echo "Removing keys ..." -rm -v /etc/ssh/ssh_host_*_key* - -echo "Regenerating keys ..." -dpkg-reconfigure openssh-server - -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh -fi - -sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted file mode 100644 index 6f12414239a3..000000000000 --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ /dev/null @@ -1,17 +0,0 @@ -# This software is a part of ISAR. -inherit dpkg-raw - -DESCRIPTION = "Systemd service to regenerate sshd keys" -MAINTAINER = "isar-users " -DEBIAN_DEPENDS = "openssh-server, systemd" - -SRC_URI = "file://postinst \ - file://sshd-regen-keys.service \ - file://sshd-regen-keys.sh" - -do_install[cleandirs] = "${D}/lib/systemd/system \ - ${D}/usr/sbin" -do_install() { - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" -} diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new file mode 100644 index 000000000000..8b1cd8d4aba0 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb @@ -0,0 +1,14 @@ +# This software is a part of ISAR. +inherit dpkg-raw + +DESCRIPTION = "Systemd service to regenerate sshd keys" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "openssh-server, systemd" + +SRC_URI = "file://postinst \ + file://sshd-regen-keys.service" + +do_install() { + install -m 0755 "${D}/lib/systemd/system" + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" +}