From: Joshua Watt <jpewhacker@gmail.com>
To: "André Draszik" <git@andred.net>,
openembedded-core@lists.openembedded.org
Subject: Re: [pyro][PATCH 04/17] openssh: allow to override OpenSSL HostKeys when read-only-rootfs
Date: Fri, 06 Oct 2017 08:38:42 -0500 [thread overview]
Message-ID: <1507297122.2615.49.camel@gmail.com> (raw)
In-Reply-To: <20171006121259.5817-5-git@andred.net>
On Fri, 2017-10-06 at 13:12 +0100, André Draszik wrote:
> From: André Draszik <adraszik@tycoint.com>
>
> With these changes it is possible to have a .bbappend that
> - sets SYSCONFDIR to some persistent storage
> - modifies SYSCONFDIR/sshd_config to use ssh host keys from
> the (writable) sysconfdir
>
> Signed-off-by: André Draszik <adraszik@tycoint.com>
> Reviewed-by: Stephane Ayotte <sayotte@tycoint.com>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
>
> (cherry picked from commit 106b59d9f96f70d133fa1421091ad280d27a5b6a)
> Signed-off-by: André Draszik <adraszik@tycoint.com>
> ---
> meta/classes/rootfs-postcommands.bbclass | 4 +--
> meta/recipes-connectivity/openssh/openssh/init | 46
> +++++++++++++++++++++++---
> 2 files changed, 44 insertions(+), 6 deletions(-)
>
> diff --git a/meta/classes/rootfs-postcommands.bbclass
> b/meta/classes/rootfs-postcommands.bbclass
> index 2503d89e28..4b91972ce7 100644
> --- a/meta/classes/rootfs-postcommands.bbclass
> +++ b/meta/classes/rootfs-postcommands.bbclass
> @@ -91,10 +91,10 @@ read_only_rootfs_hook () {
> # and the keys under /var/run/ssh.
> if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ];
> then
> - echo "SYSCONFDIR=/etc/ssh" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
> + echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}"
> >> ${IMAGE_ROOTFS}/etc/default/ssh
> echo "SSHD_OPTS=" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
> else
> - echo "SYSCONFDIR=/var/run/ssh" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
> + echo "SYSCONFDIR=\${SYSCONFDIR:-
> /var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
> echo "SSHD_OPTS='-f
> /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
> fi
> fi
> diff --git a/meta/recipes-connectivity/openssh/openssh/init
> b/meta/recipes-connectivity/openssh/openssh/init
> index 1f63725cc0..386628afc8 100644
> --- a/meta/recipes-connectivity/openssh/openssh/init
> +++ b/meta/recipes-connectivity/openssh/openssh/init
> @@ -19,10 +19,24 @@ fi
> [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
> mkdir -p $SYSCONFDIR
>
> -HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> -HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> -HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> -HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> +parse_sshd_opts() {
> + set -- ${SSHD_OPTS} --
> + sshd_config=/etc/ssh/sshd_config
> + while true ; do
> + case "$1" in
> + -f*) if [ "$1" = "-f" ] ; then
> + sshd_config="$2"
> + shift
> + else
> + sshd_config="${1#-f}"
> + fi
> + shift
> + ;;
> + --) shift; break;;
> + *) shift;;
> + esac
> + done
> +}
>
> check_for_no_start() {
> # forget it if we're trying to start, and
> /etc/ssh/sshd_not_to_be_run exists
> @@ -45,21 +59,45 @@ check_config() {
> }
>
> check_keys() {
> + # parse location of keys
> + local HOST_KEY_RSA
> + local HOST_KEY_DSA
> + local HOST_KEY_ECDSA
> + local HOST_KEY_ED25519
> +
> + parse_sshd_opts
> + HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ |
> tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey
> "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_RSA}" ] &&
> HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> + HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ |
> tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey
> "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_DSA}" ] &&
> HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> + HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep
> _ecdsa_ | tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey
> "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_ECDSA}" ] &&
> HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> + HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep
> _ed25519_ | tail -1 | awk ' { print $2 } ')
> + [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep
> HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print
> $2 } ')
> + [ -z "${HOST_KEY_ED25519}" ] &&
> HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> +
> # create keys if necessary
> if [ ! -f $HOST_KEY_RSA ]; then
> echo " generating ssh RSA key..."
> + mkdir -p $(dirname $HOST_KEY_RSA)
> ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
> fi
> if [ ! -f $HOST_KEY_ECDSA ]; then
> echo " generating ssh ECDSA key..."
> + mkdir -p $(dirname $HOST_KEY_ECDSA)
> ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
> fi
> if [ ! -f $HOST_KEY_DSA ]; then
> echo " generating ssh DSA key..."
> + mkdir -p $(dirname $HOST_KEY_DSA)
> ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
> fi
> if [ ! -f $HOST_KEY_ED25519 ]; then
> echo " generating ssh ED25519 key..."
> + mkdir -p $(dirname $HOST_KEY_ED25519)
> ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
> fi
> }
> --
> 2.14.2
>
If you are backporting this, please also backport
ae32558a19ae3b3f175365dc0e10fa74a91e28ce (https://patchwork.openembedde
d.org/series/7509/)
next prev parent reply other threads:[~2017-10-06 13:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-06 12:12 [pyro] some backported patches André Draszik
2017-10-06 12:12 ` [pyro][PATCH 01/17] gdb: fix gdbserver not working in musl/mips context André Draszik
2017-10-06 12:12 ` [pyro][PATCH 02/17] busybox: fix a linking issue André Draszik
2017-10-06 12:12 ` [pyro][PATCH 03/17] busybox: add backported patch to support iproute 'scope' André Draszik
2017-10-06 12:12 ` [pyro][PATCH 04/17] openssh: allow to override OpenSSL HostKeys when read-only-rootfs André Draszik
2017-10-06 13:38 ` Joshua Watt [this message]
2017-10-06 12:12 ` [pyro][PATCH 05/17] selftest/archiver: add tests for recipe type filtering André Draszik
2017-10-06 12:12 ` [pyro][PATCH 06/17] selftest/archiver: only execute deploy_archives task André Draszik
2017-10-06 12:12 ` [pyro][PATCH 07/17] copyleft_filter.bbclass: restore possiblity to filter on type André Draszik
2017-10-06 12:12 ` [pyro][PATCH 08/17] debianutils: Add a native version (for run-parts) André Draszik
2017-10-06 12:12 ` [pyro][PATCH 09/17] ca-certificates: Fix postinst dependency issues André Draszik
2017-10-06 12:12 ` [pyro][PATCH 10/17] kernel-uimage.bbclass: Fix up generation of uImage from vmlinux André Draszik
2017-10-06 12:12 ` [pyro][PATCH 11/17] kernel-fitimage: sanitize dtb section name (unbreak MIPS) André Draszik
2017-10-06 12:12 ` [pyro][PATCH 12/17] kernel-fitimage: unbreak UBOOT_ENTRYSYMBOL support André Draszik
2017-10-06 12:12 ` [pyro][PATCH 13/17] kernel-uimage: optimise " André Draszik
2017-10-06 12:12 ` [pyro][PATCH 14/17] kernel-uboot: support compressed kernel on MIPS André Draszik
2017-10-06 12:12 ` [pyro][PATCH 15/17] kernel-fitimage: support MIPS (compressed) André Draszik
2017-10-06 12:12 ` [pyro][PATCH 16/17] curl: enable threaded resolver André Draszik
2017-10-06 12:12 ` [pyro][PATCH 17/17] useradd-staticids: don't create username-group if gid is specified André Draszik
2017-10-10 14:58 ` [pyro] some backported patches akuster808
2017-10-18 7:05 ` André Draszik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1507297122.2615.49.camel@gmail.com \
--to=jpewhacker@gmail.com \
--cc=git@andred.net \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.