Re: [OE-core] [PATCH 0/7] Replace sshd_config patching by snippets

[Richard Purdie <richard.purdie@linuxfoundation.org>]

On Thu, 2024-03-14 at 11:00 +0000, Richard Purdie via
lists.openembedded.org wrote:
> On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via
> lists.openembedded.org wrote:
> > To deal with system setups, sshd was configured in the following
> > way:
> > 
> >  - sshd_config is shipped completely by OE and DISTRO_FEATURES
> > (pam,
> >    x11) are patched in during do_install
> > 
> >    --> this is difficulty to maintain; e.g. sshd_config must be
> >        synchronized between OpenSSH releases and OE adaptations
> >        manually inserted
> > 
> >  - two different configuration files (sshd_config +
> > sshd_config_readonly)
> >    are created; IMAGE_FEATURES decides which one is used and it is
> > patched
> >    in a ROOTFS_COMMAND in the system
> > 
> >    --> this make it difficult for third party recipes to
> > incorporate
> >        their changes (they have to go over both files)
> > 
> >    --> the readonly HostKey locations and algorithms are hardcoded
> >        which makes it difficult to place them e.g. on a persistent
> >        /opt partition and disable e.g. ecdsa
> > 
> >  - depending on IMAGE_FEATURES (empty passwords, root login), both
> >    files are patched by a ROOTFS_POSTCOMMAND
> > 
> >    --> these changes are lost when pkgmgmt is used for the image
> > and
> >        openssh being updated
> > 
> > 
> > The patchset:
> > 
> >  - reduces changes to sshd_config to
> > 
> >    | Include /etc/ssh/sshd_config.d/*.conf
> > 
> >    --> This is already the done in current recipe and most mainline
> >        Linux distributions are doing it
> > 
> >  - moves configuration in new openssh-config recipe which is a weak
> >    dependency of openssh (and can be replaced by another
> > IMAGE_INSTALL)
> > 
> >    Recipe ships configuration as small snippets which might contain
> >    dynamically created content (e.g. 'UsePAM yes')
> > 
> >  - IMAGE_FEATURE based setup is done by creating subpackages with
> >    the corresponding options.  These subpackages are added to
> >    FEATURE_PACKAGES_ssh-server-openssh
> > 
> >  - readonly rootfs setup has been enhanced by
> > 
> >    | RO_KEYDIR ??= "/var/run/ssh"
> >    | KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
> > 
> >    parameters which can be overridden.
> 
> 
> Thanks for sending this. I suspect something like this might be
> desirable however unfortunately the timing is a little tricky as
> we're
> just past the feature freeze point for 5.0.
> 
> I know people often want to push for the inclusion of things into
> something like the LTS so I did put this through the automated
> testing,
> just to get an idea of the potential issues.
> 
> The first run had lots of these warnings:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings
> 
> so I squashed a fix in for that. The second run had this:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio
> 
> which suggests ssh connections into our image testing doesn't work.
> It
> is unclear why that is failing there but there were indications in
> the
> previous build that other ssh connections were working ok. It could
> be
> dropbear vs openssh at a guess. That build is still ongoing too so
> there may be other issues.
> 
> Anyway I just wanted to highlight the testing results and to say that
> this is something we should think about but it will have to wait
> until
> after 5.0 releases.
> 
> I haven't reviewed the patches in much detail, I mainly wanted to get
> the automated testing results shared.

Some further related warnings:

https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnings

Cheers,

Richard