All of lore.kernel.org
 help / color / mirror / Atom feed
From: Joshua Watt <jpewhacker@gmail.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH v2] openssh: Fix key generation with systemd
Date: Wed, 06 Sep 2017 08:21:39 -0500	[thread overview]
Message-ID: <1504704099.26206.1.camel@gmail.com> (raw)
In-Reply-To: <CAJTo0LZPFUEskGphbk8PnTK1aSOOCSt3JuCTxYGbkiQiKPnPuA@mail.gmail.com>

On Tue, 2017-08-01 at 12:07 +0100, Burton, Ross wrote:
> Sorry didn't notice the v2.  In staging now.

I noticed this hasn't been merged yet, is there something holding it
up?

> 
> Ross
> 
> On 25 July 2017 at 03:23, Joshua Watt <jpewhacker@gmail.com> wrote:
> > On Mon, 2017-07-03 at 20:18 -0500, Joshua Watt wrote:
> > > 106b59d9 broke SSH host key generation when systemd and a read-
> > only
> > > root file
> > > system are in use because there isn't a way for systemd to get
> > the
> > > optional
> > > weak assigment of SYSCONFDIR from /etc/default/sshd and still
> > provide
> > > a default
> > > value if it is not specified. Instead, move the logic for
> > determining
> > > if keys
> > > need to be created to a helper script that both the SysV init
> > script
> > > and the
> > > systemd unit file can reference.
> > >
> > > This does mean that the systemd unit file can't check for file
> > > existence to
> > > know if it should start the service, but it wasn't able to do
> > that
> > > correctly
> > > anyway anymore. This should be a problem since the serivce is
> > only
> > > run once per
> > > power cycle by systemd, and should exit quickly if the keys
> > already
> > > exist
> > >
> > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > > ---
> > >  meta/recipes-connectivity/openssh/openssh/init     | 69 +-------
> > ----
> > > ----------
> > >  .../openssh/openssh/sshd_check_keys                | 64
> > > ++++++++++++++++++++
> > >  .../openssh/openssh/sshdgenkeys.service            | 16 +----
> > >  meta/recipes-connectivity/openssh/openssh_7.5p1.bb |  8 +++
> > >  4 files changed, 76 insertions(+), 81 deletions(-)
> > >  create mode 100644 meta/recipes-
> > > connectivity/openssh/openssh/sshd_check_keys
> > >
> > > diff --git a/meta/recipes-connectivity/openssh/openssh/init
> > > b/meta/recipes-connectivity/openssh/openssh/init
> > > index 386628a..34ba0f8 100644
> > > --- a/meta/recipes-connectivity/openssh/openssh/init
> > > +++ b/meta/recipes-connectivity/openssh/openssh/init
> > > @@ -19,25 +19,6 @@ fi
> > >  [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
> > >  mkdir -p $SYSCONFDIR
> > >
> > > -parse_sshd_opts() {
> > > -    set -- ${SSHD_OPTS} --
> > > -    sshd_config=/etc/ssh/sshd_config
> > > -    while true ; do
> > > -        case "$1" in
> > > -        -f*) if [ "$1" = "-f" ] ; then
> > > -                 sshd_config="$2"
> > > -                 shift
> > > -             else
> > > -                 sshd_config="${1#-f}"
> > > -             fi
> > > -             shift
> > > -             ;;
> > > -        --) shift; break;;
> > > -        *) shift;;
> > > -        esac
> > > -    done
> > > -}
> > > -
> > >  check_for_no_start() {
> > >      # forget it if we're trying to start, and
> > > /etc/ssh/sshd_not_to_be_run exists
> > >      if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
> > > @@ -58,57 +39,13 @@ check_config() {
> > >       /usr/sbin/sshd -t $SSHD_OPTS || exit 1
> > >  }
> > >
> > > -check_keys() {
> > > -     # parse location of keys
> > > -     local HOST_KEY_RSA
> > > -     local HOST_KEY_DSA
> > > -     local HOST_KEY_ECDSA
> > > -     local HOST_KEY_ED25519
> > > -
> > > -     parse_sshd_opts
> > > -     HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_
> > |
> > > tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey
> > > "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_RSA}" ] &&
> > > HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> > > -     HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_
> > |
> > > tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey
> > > "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_DSA}" ] &&
> > > HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> > > -     HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep
> > > _ecdsa_ | tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey
> > > "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_ECDSA}" ] &&
> > > HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> > > -     HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep
> > > _ed25519_ | tail -1 | awk ' { print $2 } ')
> > > -     [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep
> > > HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' {
> > print
> > > $2 } ')
> > > -     [ -z "${HOST_KEY_ED25519}" ] &&
> > > HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> > > -
> > > -     # create keys if necessary
> > > -     if [ ! -f $HOST_KEY_RSA ]; then
> > > -             echo "  generating ssh RSA key..."
> > > -             mkdir -p $(dirname $HOST_KEY_RSA)
> > > -             ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
> > > -     fi
> > > -     if [ ! -f $HOST_KEY_ECDSA ]; then
> > > -             echo "  generating ssh ECDSA key..."
> > > -             mkdir -p $(dirname $HOST_KEY_ECDSA)
> > > -             ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
> > > -     fi
> > > -     if [ ! -f $HOST_KEY_DSA ]; then
> > > -             echo "  generating ssh DSA key..."
> > > -             mkdir -p $(dirname $HOST_KEY_DSA)
> > > -             ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
> > > -     fi
> > > -     if [ ! -f $HOST_KEY_ED25519 ]; then
> > > -             echo "  generating ssh ED25519 key..."
> > > -             mkdir -p $(dirname $HOST_KEY_ED25519)
> > > -             ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
> > > -     fi
> > > -}
> > > -
> > >  export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> > >
> > >  case "$1" in
> > >    start)
> > >       check_for_no_start
> > >       echo "Starting OpenBSD Secure Shell server: sshd"
> > > -     check_keys
> > > +     @LIBEXECDIR@/sshd_check_keys
> > >       check_privsep_dir
> > >       start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd --
> > > $SSHD_OPTS
> > >          echo "done."
> > > @@ -121,7 +58,7 @@ case "$1" in
> > >
> > >    reload|force-reload)
> > >       check_for_no_start
> > > -     check_keys
> > > +     @LIBEXECDIR@/sshd_check_keys
> > >       check_config
> > >          echo -n "Reloading OpenBSD Secure Shell server's
> > > configuration"
> > >       start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
> > > @@ -129,7 +66,7 @@ case "$1" in
> > >       ;;
> > >
> > >    restart)
> > > -     check_keys
> > > +     @LIBEXECDIR@/sshd_check_keys
> > >       check_config
> > >          echo -n "Restarting OpenBSD Secure Shell server: sshd"
> > >       start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
> > > diff --git a/meta/recipes-
> > > connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-
> > > connectivity/openssh/openssh/sshd_check_keys
> > > new file mode 100644
> > > index 0000000..f5bba53
> > > --- /dev/null
> > > +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
> > > @@ -0,0 +1,64 @@
> > > +#! /bin/sh
> > > +
> > > +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
> > > +if test -f /etc/default/ssh; then
> > > +    . /etc/default/ssh
> > > +fi
> > > +
> > > +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
> > > +mkdir -p $SYSCONFDIR
> > > +
> > > +# parse sshd options
> > > +set -- ${SSHD_OPTS} --
> > > +sshd_config=/etc/ssh/sshd_config
> > > +while true ; do
> > > +    case "$1" in
> > > +    -f*) if [ "$1" = "-f" ] ; then
> > > +            sshd_config="$2"
> > > +            shift
> > > +        else
> > > +            sshd_config="${1#-f}"
> > > +        fi
> > > +        shift
> > > +        ;;
> > > +    --) shift; break;;
> > > +    *) shift;;
> > > +    esac
> > > +done
> > > +
> > > +# parse location of keys
> > > +HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ |
> > tail -1
> > > | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey
> > > "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_RSA}" ] &&
> > > HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> > > +HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ |
> > tail -1
> > > | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey
> > > "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_DSA}" ] &&
> > > HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> > > +HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ |
> > > tail -1 | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey
> > > "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_ECDSA}" ] &&
> > > HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> > > +HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep
> > _ed25519_ |
> > > tail -1 | awk ' { print $2 } ')
> > > +[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey
> > > "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 }
> > ')
> > > +[ -z "${HOST_KEY_ED25519}" ] &&
> > > HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> > > +
> > > +# create keys if necessary
> > > +if [ ! -f $HOST_KEY_RSA ]; then
> > > +    echo "  generating ssh RSA key..."
> > > +    mkdir -p $(dirname $HOST_KEY_RSA)
> > > +    ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
> > > +fi
> > > +if [ ! -f $HOST_KEY_ECDSA ]; then
> > > +    echo "  generating ssh ECDSA key..."
> > > +    mkdir -p $(dirname $HOST_KEY_ECDSA)
> > > +    ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
> > > +fi
> > > +if [ ! -f $HOST_KEY_DSA ]; then
> > > +    echo "  generating ssh DSA key..."
> > > +    mkdir -p $(dirname $HOST_KEY_DSA)
> > > +    ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
> > > +fi
> > > +if [ ! -f $HOST_KEY_ED25519 ]; then
> > > +    echo "  generating ssh ED25519 key..."
> > > +    mkdir -p $(dirname $HOST_KEY_ED25519)
> > > +    ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
> > > +fi
> > > +
> > > diff --git a/meta/recipes-
> > > connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-
> > > connectivity/openssh/openssh/sshdgenkeys.service
> > > index 148e6ad..603c337 100644
> > > --- a/meta/recipes-
> > connectivity/openssh/openssh/sshdgenkeys.service
> > > +++ b/meta/recipes-
> > connectivity/openssh/openssh/sshdgenkeys.service
> > > @@ -1,22 +1,8 @@
> > >  [Unit]
> > >  Description=OpenSSH Key Generation
> > >  RequiresMountsFor=/var /run
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
> > >
> > >  [Service]
> > > -Environment="SYSCONFDIR=/etc/ssh"
> > > -EnvironmentFile=-/etc/default/ssh
> > > -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
> > > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > ${SYSCONFDIR}/ssh_host_rsa_key
> > > -N '' -t rsa
> > > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > ${SYSCONFDIR}/ssh_host_dsa_key
> > > -N '' -t dsa
> > > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > ${SYSCONFDIR}/ssh_host_ecdsa_key
> > > -N '' -t ecdsa
> > > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > > ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
> > > +ExecStart=@LIBEXECDIR@/sshd_check_keys
> > >  Type=oneshot
> > >  RemainAfterExit=yes
> > > diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > > b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > > index 7bd313b..fdbee85 100644
> > > --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > > +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > > @@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/O
> > penS
> > > SH/portable/openssh-${PV}.tar
> > >             file://openssh-7.1p1-conditional-compile-des-in-
> > > cipher.patch \
> > >             file://openssh-7.1p1-conditional-compile-des-in-
> > > pkcs11.patch \
> > >             file://fix-potential-signed-overflow-in-pointer-
> > > arithmatic.patch \
> > > +           file://sshd_check_keys \
> > >             "
> > >
> > >  PAM_SRC_URI = "file://sshd"
> > > @@ -118,7 +119,13 @@ do_install_append () {
> > >       sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
> > >               -e 's,@SBINDIR@,${sbindir},g' \
> > >               -e 's,@BINDIR@,${bindir},g' \
> > > +             -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
> > >               ${D}${systemd_unitdir}/system/sshd.socket
> > > ${D}${systemd_unitdir}/system/*.service
> > > +
> > > +     sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
> > > +             ${D}${sysconfdir}/init.d/sshd
> > > +
> > > +     install -D -m 0755 ${WORKDIR}/sshd_check_keys
> > > ${D}${libexecdir}/${BPN}/sshd_check_keys
> > >  }
> > >
> > >  do_install_ptest () {
> > > @@ -133,6 +140,7 @@ FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> > >  FILES_${PN}-ssh = "${bindir}/ssh.${BPN}
> > > ${sysconfdir}/ssh/ssh_config"
> > >  FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd
> > > ${systemd_unitdir}/system"
> > >  FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli
> > > ${sysconfdir}/ssh/sshd_config
> > ${sysconfdir}/ssh/sshd_config_readonly
> > > ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
> > > +FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
> > >  FILES_${PN}-sftp = "${bindir}/sftp"
> > >  FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> > >  FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> > 
> > Ping?
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> 
> 



  reply	other threads:[~2017-09-06 13:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-29 12:30 [PATCH] openssh: Fix key generation with systemd Joshua Watt
2017-07-03 15:02 ` Burton, Ross
2017-07-04  1:18 ` [PATCH v2] " Joshua Watt
2017-07-25  2:23   ` Joshua Watt
2017-08-01 11:07     ` Burton, Ross
2017-09-06 13:21       ` Joshua Watt [this message]
2017-09-18 18:13         ` Burton, Ross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1504704099.26206.1.camel@gmail.com \
    --to=jpewhacker@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ross.burton@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.