From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Sun, 3 Aug 2014 09:37:26 +0200 Subject: [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call In-Reply-To: <1407028879-2004-1-git-send-email-danomimanchego123@gmail.com> References: <1407028879-2004-1-git-send-email-danomimanchego123@gmail.com> Message-ID: <20140803073726.GB4052@free.fr> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Danomi, All, On 2014-08-02 21:21 -0400, Danomi Manchego spake thusly: > Since openssh-6.0, the ssh-keygen app has supported a -A option, > which creates any missing keys. This frees us of having to add > new ssh-keygen invocations as new key types are introduced. This > also frees us of having to know the default key names and locations. > So this patch replaces all the the init.d script invocations with > a single "ssh-keygen -A" call. > > Note: the systemd service script *already* uses this option. > > Signed-off-by: Danomi Manchego Acked-by: "Yann E. MORIN" However, I have a comment about this key generation: it does not work when the filesystem is read-only. That was already the case before your patch, hence my Ack. But we should probably find a way to fix that one way or the other. One option would be to pre-generate the host keys at build-time. There are pros abd cons with this, though: - pros: we can save the public keys and store them in the known_hosts file of the user. No confirmation at first connection, usefull during development; - cons: the image can't be realisticaly deployed to many targets, otherwise they would all have the same keys. Bad. I don't have a better solution for now... :-/ Of course, we can also delegate to the user the reponsibility to ensure that /etc *is* writable when openssh is installed (which we implicitly do right now.) Regards, Yann E. MORIN. > --- > package/openssh/S50sshd | 34 ++-------------------------------- > 1 file changed, 2 insertions(+), 32 deletions(-) > > diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd > index d3abf7c..65bdb90 100644 > --- a/package/openssh/S50sshd > +++ b/package/openssh/S50sshd > @@ -6,38 +6,8 @@ > # Make sure the ssh-keygen progam exists > [ -f /usr/bin/ssh-keygen ] || exit 0 > > -# Check for the SSH1 RSA key > -if [ ! -f /etc/ssh_host_key ] ; then > - echo Generating RSA Key... > - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N '' > -fi > - > -# Check for the SSH2 RSA key > -if [ ! -f /etc/ssh_host_rsa_key ] ; then > - echo Generating RSA Key... > - /usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N '' > -fi > - > -# Check for the SSH2 DSA key > -if [ ! -f /etc/ssh_host_dsa_key ] ; then > - echo Generating DSA Key... > - echo > - /usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N '' > -fi > - > -# Check for the SSH2 ECDSA key > -if [ ! -f /etc/ssh_host_ecdsa_key ]; then > - echo Generating ECDSA Key... > - echo > - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N '' > -fi > - > -# Check for the ed25519 key > -if [ ! -f /etc/ssh_host_ed25519_key ]; then > - echo Generating ed25519 Key... > - echo > - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N '' > -fi > +# Create any missing keys > +/usr/bin/ssh-keygen -A > > umask 077 > > -- > 1.7.9.5 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'