From patchwork Tue Mar 30 01:17:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Henning Schild X-Patchwork-Id: 395 Return-Path: Delivered-To: ilbers.mnt@gmail.com Received: by 2002:a4a:378f:0:0:0:0:0 with SMTP id r137csp4164250oor; Tue, 30 Mar 2021 03:17:27 -0700 (PDT) X-Received: by 2002:a05:600c:4f03:: with SMTP id l3mr3299997wmq.149.1617099446873; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1617099446; cv=pass; d=google.com; s=arc-20160816; b=NQQ14Cv1fts0hArsAXUPJuXKpxxDBGpG6okdMCwruyCcvQN2rriT0Tid9aQb0PnSK8 YzVA1dKpPw2lBoZvyfeLuYQXvZgLhJejieTFnZ93GYqhP5q9sKtHpG6V2XF+Nh+c67zO MvvvVGTlqu5m6ULhEdvcQFpz1rbgC/ezaXYmHDN+d6//9GdNFISqUD817PdtHPAIVmvJ pVD/RUqnKpQSdaji9qXf9pvQTYWI+B9+Zi0/NwRx3xm/1gIKTDLHXBBKa/ybgptUnyGq Q7Ix59DvYtdc56nuYCb1kzGdZ/m7p+bbs+GA+s2H45mA+HJ9CtQCwZqiVSrhmqYYnpXe WXEQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:message-id:date :subject:cc:to:from:sender:dkim-signature; bh=gUOOMDQz4CjY28DeEszle+54nsrxPS0vhpX+xoJrkB4=; b=bB7L3JkgaeeLXmRbBEJF7w9ZAC+KKSNkiJORclFmCOJQAhyZTmhL+WQjYm6HU3Lj8Z lZ/r2zAFcVQ1HKX40Y6MMj6uK1UkRULS5MK50qvFeo0v58fFIqv4Kl+xC5TP1r7dktql iIajtHMwi7QLJtQdT7SQI7ryUIrZysaWKCndl8muGPj8eMhfi6xqk6iNjrVBB5w68OkA kmytwFokmjS8ns61VUqkWX3+7MLxgSr+4C/iFjR9YCf1pAZRb7CGl8Mf7BHEiR7G6BjZ 4T6/l/5idCTdiT9WG03fi+1MGURplyCHUNcF7WsdgGFML+IT6U51stUAgW/USWM/GBU+ qZ1w== ARC-Authentication-Results: i=3; mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b="kJ/C5+Rs"; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbnxvrobqmgqem7gf5xi@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBDJMJPGY2MGRBNXVROBQMGQEM7GF5XI@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com Received: from mail-sor-f55.google.com (mail-sor-f55.google.com. [209.85.220.55]) by mx.google.com with SMTPS id h15sor9615167wrz.33.2021.03.30.03.17.26 (Google Transport Security); Tue, 30 Mar 2021 03:17:26 -0700 (PDT) Received-SPF: pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbnxvrobqmgqem7gf5xi@googlegroups.com designates 209.85.220.55 as permitted sender) client-ip=209.85.220.55; Authentication-Results: mx.google.com; dkim=pass header.i=@googlegroups.com header.s=20161025 header.b="kJ/C5+Rs"; arc=pass (i=2 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of isar-users+bncbdjmjpgy2mgrbnxvrobqmgqem7gf5xi@googlegroups.com designates 209.85.220.55 as permitted sender) smtp.mailfrom=isar-users+bncBDJMJPGY2MGRBNXVROBQMGQEM7GF5XI@googlegroups.com; dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=siemens.com ARC-Seal: i=2; a=rsa-sha256; t=1617099446; cv=pass; d=google.com; s=arc-20160816; b=qAm7lLIPR7bcS+mbFp14poed+gKjYYkEpU8MQXdh5iJ6WyYs4aqwo53bTzjSUGhiR0 1IbNxZAgSI8KGQNMw1sCqb/J1bF8DhasIipUb9+bgCGeNxNmH3joJPNYe/dtSZVzzZB6 cucOH7v2hEuouy9Ou6lsnPFkEdbkJvtWQF9PtbBRtIqxUehAfFPsF4zlE8e30J+2iHEN GjrL5ZN95PZ9+fBQahP5r3JqrVMoLnvR4MhaVYpa5BQ2iprqI73j5j7FEPPxpsixqrJl o3gJyOijlyxnHW4MYOzi8VCpFA3nIzFpYSG4A+lmNpBDd740L8ISE86U6ThOLpxZed4A 4aPA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:message-id:date :subject:cc:to:from:sender:dkim-signature; bh=gUOOMDQz4CjY28DeEszle+54nsrxPS0vhpX+xoJrkB4=; b=s0s6vmgQLKcJ1n4qZd+VDjPAAj1uvzaXXmfqLiz9H3PHINbGM84JM28akOwKTQsvXr C7eMSbjtVjIWYjF8NIp4UicDMNA/xwwokzGCnznAtAZsvaK4oXWSXPAF+N6iUHhz1ezR bUIvYb4y7NTir9O0WHzDd2Zhqp07JEjfU9T9wygce56OWYllJEpn6WqAJtlKAemi/KCn 9rmNB5ydyBUz4py8qiJI/x71c/ZJ7ka4oMj6LgyxcB4y69u2wJeASM6UJDYitMcqp6xE LUNbIaPy19Ps6fcmHh8nD5JuOFglYhAi30YQ2LQbzKnwJZp9I09mooJDk5VRpigGlFIe I5WQ== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=gUOOMDQz4CjY28DeEszle+54nsrxPS0vhpX+xoJrkB4=; b=kJ/C5+RsPcxiPYrV1K07+DebB1AbqQExJv578GOIdTjzTv/uzBeoc4DHtH2SJgiKjg vgyyma9jUvzsApAC1VgghNFtt8E5DeUo/eulIC2DssQXVvEX0WO67bRKjkBqgaugBqpt G7FfMbJnpq4S8H9HYn3DxC4i7zPt6oCD8gQG/ZAnGOnzz+Y660NKkigZgiJ9W5iYHSoy DSgrzmxgLWee5uDzAh5ybXCreLPE9LdujXdJGSzENbxsybjVjULGgWvxEuIlDFQR969D C5qYTTQ+1Xe848B7IPiqZ3UJxg70kb5BmWqGMgTGj5AuFI6t/vT+grCZvBGqhIri8fcr CqfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:date:message-id :mime-version:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=gUOOMDQz4CjY28DeEszle+54nsrxPS0vhpX+xoJrkB4=; b=jm+GDkxojO1oWkflzI/XP/q/RHrYBXFgJjaSo0wBCswFylIMpLxdZKZehg9ZYXTYcn 91jmIC8+LkXYRgAnpdfjNrws4NH3Gzy9xyOmcYg3+epDFafGwaC9S6cbe1mwRuKdNLpm orKzLOlqoy7ek+7WCFmY6QBJUPWpIyMg1ajSlrEvisVYA1ISwS8vPpYsgRDVXtqVbKzX JVC5JbR5zkIyU/j/Uc3CrknSi3NeoPjHjAtBDy8hWjWqLdlLBSKKvQ1Ps99UvCo7jI8k GJzqls11QWhcUx6iLJW/+njA5aPSZ9fLiudRE1SUeyYvFh4TFvu2mJR0opCd9LKBXadY nTeg== Sender: isar-users@googlegroups.com X-Gm-Message-State: AOAM531I/qWL8veQjH0RKAQ11qjQ2QPFzb+LatLE1QH2s3e0iGuzp7Um RyxlSO3+c/TKgG0+GJaqe9M= X-Google-Smtp-Source: ABdhPJxLOXG/DZ6kZi7rxtB4KlMSn3ncVVb+0aPdOyHjdmLfwRJmyF2VXqOb7gMLlSOzMcqDiv7AeA== X-Received: by 2002:adf:ee0a:: with SMTP id y10mr31661550wrn.177.1617099446642; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:d1c8:: with SMTP id b8ls1162223wrd.3.gmail; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) X-Received: by 2002:a05:6000:362:: with SMTP id f2mr25271446wrf.141.1617099446002; Tue, 30 Mar 2021 03:17:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617099445; cv=none; d=google.com; s=arc-20160816; b=nWQryBe6LwIHpJ5Hai0Z+0jaKQoROmUg2IoU1P2DewRMyDei7J6er54QHWyf2iYM+s sfL+UWrGMmccwfkbJiT8rMMvEKEHNBfT5CPL9sDwI8SYXPkEqWz3lTUsWWCE5wbqoaaC tVKMK6e/pvs8OylTiT3Tt5cfHcRjquENutUuTqQf2N0uJWWjAJK3F3IHxtD8q1CHQpwm +jlup8SNDq3CKKmVPYtqe2FaHteTvlpTk0rKdy/per20Uco1xf5I5QsRZhPS4L65+vME kvWWT+dm7q1KEfaHzBO3i2pQyK+5cg6X6Au9/7aolfMXC2GZ2rT5xGlwjLVVYDnWv27M cQ2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=zvs/c2NOl51/pnQIVKdlH5LzVi0eZioTGv9/F5AuzPU=; b=bRzUw+NghdOXaU6zDk/MmR6cE6KUzIaKyX4IILqbciOR7RsPUutKiMCiMn3sA1BM0W qkr0NyPm1EJ7TsVDg7PTPhbtd92G0vbJhwTXTUt5aL7i7mK2iRCatA7bji21V5zeUUBm Df8I+PWWpm/Z76KQeNOrWbymAJLKjw86bMcdZkNjRaN8TKQbVDcfcKFu8kxPiNPpplWJ 2Dweg38z+ZJvWFLi8EOmcLe99Xdb39EoSyLAKvbFy7CnlYSuGl1d2HBj3O5HcIe4KoUY G3ymXdhJ+XeHu/KCWqMz68Vi2ICiN+IcuLBgNipEznpho50dIzVunH+1J8Y1w6wwxq8+ ghog== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id b5si139621wmc.2.2021.03.30.03.17.25 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Mar 2021 03:17:25 -0700 (PDT) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id 12UAHP3e008352 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Mar 2021 12:17:25 +0200 Received: from localhost.localdomain ([167.87.2.166]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12UAHOxe008718; Tue, 30 Mar 2021 12:17:24 +0200 From: Henning Schild To: isar-users Cc: Jan Kiszka , Harald Seiler , Henning Schild Subject: [PATCH v2] sshd-regen-keys: Improve service, make more robust Date: Tue, 30 Mar 2021 12:17:22 +0200 Message-Id: <20210330101722.10371-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.26.3 MIME-Version: 1.0 X-Original-Sender: henning.schild@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1695209483470897120?= X-GMAIL-MSGID: =?utf-8?q?1695651669901147533?= Switch to using "/usr/bin/ssh-keygen -A" instead of dpkg-reconfigure. With this we would generate new host keys every time the service starts and no keys exist. Removing the keys from openssh-server in a postinst makes it complete so that we really only generate on the first boot. This is easier to handle that reusing the debian package hooks for key generation. Signed-off-by: Henning Schild --- .../sshd-regen-keys/files/postinst | 2 ++ .../files/sshd-regen-keys.service | 4 +--- .../sshd-regen-keys/files/sshd-regen-keys.sh | 20 ------------------- .../sshd-regen-keys/sshd-regen-keys_0.3.bb | 17 ---------------- .../sshd-regen-keys/sshd-regen-keys_0.4.bb | 14 +++++++++++++ 5 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh delete mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb create mode 100644 meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb diff --git a/meta/recipes-support/sshd-regen-keys/files/postinst b/meta/recipes-support/sshd-regen-keys/files/postinst index ae722a7349a2..1c9b03e3e040 100644 --- a/meta/recipes-support/sshd-regen-keys/files/postinst +++ b/meta/recipes-support/sshd-regen-keys/files/postinst @@ -1,4 +1,6 @@ #!/bin/sh set -e +rm /etc/ssh/ssh_host_*_key* + systemctl enable sshd-regen-keys.service diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service index f50d34c820d8..af98d5e9e966 100644 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service @@ -9,9 +9,7 @@ ConditionPathIsReadWrite=/etc [Service] Type=oneshot RemainAfterExit=yes -Environment=DEBIAN_FRONTEND=noninteractive -ExecStart=/usr/sbin/sshd-regen-keys.sh -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service +ExecStart=/usr/bin/ssh-keygen -A StandardOutput=syslog StandardError=syslog diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh deleted file mode 100644 index 910d879ba51f..000000000000 --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env sh - -echo -n "SSH server is " -if systemctl is-enabled ssh; then - SSHD_ENABLED="true" - systemctl disable --no-reload ssh -fi - -echo "Removing keys ..." -rm -v /etc/ssh/ssh_host_*_key* - -echo "Regenerating keys ..." -dpkg-reconfigure openssh-server - -if test -n $SSHD_ENABLED; then - echo "Reenabling ssh server ..." - systemctl enable --no-reload ssh -fi - -sync diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb deleted file mode 100644 index 6f12414239a3..000000000000 --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb +++ /dev/null @@ -1,17 +0,0 @@ -# This software is a part of ISAR. -inherit dpkg-raw - -DESCRIPTION = "Systemd service to regenerate sshd keys" -MAINTAINER = "isar-users " -DEBIAN_DEPENDS = "openssh-server, systemd" - -SRC_URI = "file://postinst \ - file://sshd-regen-keys.service \ - file://sshd-regen-keys.sh" - -do_install[cleandirs] = "${D}/lib/systemd/system \ - ${D}/usr/sbin" -do_install() { - install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" - install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh" -} diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb new file mode 100644 index 000000000000..9ce1d8d88300 --- /dev/null +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb @@ -0,0 +1,14 @@ +# This software is a part of ISAR. +inherit dpkg-raw + +DESCRIPTION = "Systemd service to regenerate sshd keys" +MAINTAINER = "isar-users " +DEBIAN_DEPENDS = "openssh-server, systemd" + +SRC_URI = "file://postinst \ + file://sshd-regen-keys.service" + +do_install() { + install -d -m 0755 "${D}/lib/systemd/system" + install -m 0644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service" +}