* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call @ 2014-08-03 1:21 Danomi Manchego 2014-08-03 7:37 ` Yann E. MORIN 2014-08-03 8:36 ` Thomas Petazzoni 0 siblings, 2 replies; 10+ messages in thread From: Danomi Manchego @ 2014-08-03 1:21 UTC (permalink / raw) To: buildroot Since openssh-6.0, the ssh-keygen app has supported a -A option, which creates any missing keys. This frees us of having to add new ssh-keygen invocations as new key types are introduced. This also frees us of having to know the default key names and locations. So this patch replaces all the the init.d script invocations with a single "ssh-keygen -A" call. Note: the systemd service script *already* uses this option. Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> --- package/openssh/S50sshd | 34 ++-------------------------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd index d3abf7c..65bdb90 100644 --- a/package/openssh/S50sshd +++ b/package/openssh/S50sshd @@ -6,38 +6,8 @@ # Make sure the ssh-keygen progam exists [ -f /usr/bin/ssh-keygen ] || exit 0 -# Check for the SSH1 RSA key -if [ ! -f /etc/ssh_host_key ] ; then - echo Generating RSA Key... - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N '' -fi - -# Check for the SSH2 RSA key -if [ ! -f /etc/ssh_host_rsa_key ] ; then - echo Generating RSA Key... - /usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N '' -fi - -# Check for the SSH2 DSA key -if [ ! -f /etc/ssh_host_dsa_key ] ; then - echo Generating DSA Key... - echo - /usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N '' -fi - -# Check for the SSH2 ECDSA key -if [ ! -f /etc/ssh_host_ecdsa_key ]; then - echo Generating ECDSA Key... - echo - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N '' -fi - -# Check for the ed25519 key -if [ ! -f /etc/ssh_host_ed25519_key ]; then - echo Generating ed25519 Key... - echo - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N '' -fi +# Create any missing keys +/usr/bin/ssh-keygen -A umask 077 -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-03 1:21 [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call Danomi Manchego @ 2014-08-03 7:37 ` Yann E. MORIN 2014-08-03 13:25 ` Danomi Manchego 2014-08-03 8:36 ` Thomas Petazzoni 1 sibling, 1 reply; 10+ messages in thread From: Yann E. MORIN @ 2014-08-03 7:37 UTC (permalink / raw) To: buildroot Danomi, All, On 2014-08-02 21:21 -0400, Danomi Manchego spake thusly: > Since openssh-6.0, the ssh-keygen app has supported a -A option, > which creates any missing keys. This frees us of having to add > new ssh-keygen invocations as new key types are introduced. This > also frees us of having to know the default key names and locations. > So this patch replaces all the the init.d script invocations with > a single "ssh-keygen -A" call. > > Note: the systemd service script *already* uses this option. > > Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> However, I have a comment about this key generation: it does not work when the filesystem is read-only. That was already the case before your patch, hence my Ack. But we should probably find a way to fix that one way or the other. One option would be to pre-generate the host keys at build-time. There are pros abd cons with this, though: - pros: we can save the public keys and store them in the known_hosts file of the user. No confirmation at first connection, usefull during development; - cons: the image can't be realisticaly deployed to many targets, otherwise they would all have the same keys. Bad. I don't have a better solution for now... :-/ Of course, we can also delegate to the user the reponsibility to ensure that /etc *is* writable when openssh is installed (which we implicitly do right now.) Regards, Yann E. MORIN. > --- > package/openssh/S50sshd | 34 ++-------------------------------- > 1 file changed, 2 insertions(+), 32 deletions(-) > > diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd > index d3abf7c..65bdb90 100644 > --- a/package/openssh/S50sshd > +++ b/package/openssh/S50sshd > @@ -6,38 +6,8 @@ > # Make sure the ssh-keygen progam exists > [ -f /usr/bin/ssh-keygen ] || exit 0 > > -# Check for the SSH1 RSA key > -if [ ! -f /etc/ssh_host_key ] ; then > - echo Generating RSA Key... > - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N '' > -fi > - > -# Check for the SSH2 RSA key > -if [ ! -f /etc/ssh_host_rsa_key ] ; then > - echo Generating RSA Key... > - /usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N '' > -fi > - > -# Check for the SSH2 DSA key > -if [ ! -f /etc/ssh_host_dsa_key ] ; then > - echo Generating DSA Key... > - echo > - /usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N '' > -fi > - > -# Check for the SSH2 ECDSA key > -if [ ! -f /etc/ssh_host_ecdsa_key ]; then > - echo Generating ECDSA Key... > - echo > - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N '' > -fi > - > -# Check for the ed25519 key > -if [ ! -f /etc/ssh_host_ed25519_key ]; then > - echo Generating ed25519 Key... > - echo > - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N '' > -fi > +# Create any missing keys > +/usr/bin/ssh-keygen -A > > umask 077 > > -- > 1.7.9.5 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-03 7:37 ` Yann E. MORIN @ 2014-08-03 13:25 ` Danomi Manchego 2014-08-04 8:24 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Danomi Manchego @ 2014-08-03 13:25 UTC (permalink / raw) To: buildroot Yann, On Sun, Aug 3, 2014 at 3:37 AM, Yann E. MORIN <yann.morin.1998@free.fr> wrote: > Danomi, All, > > On 2014-08-02 21:21 -0400, Danomi Manchego spake thusly: >> Since openssh-6.0, the ssh-keygen app has supported a -A option, >> which creates any missing keys. This frees us of having to add >> new ssh-keygen invocations as new key types are introduced. This >> also frees us of having to know the default key names and locations. >> So this patch replaces all the the init.d script invocations with >> a single "ssh-keygen -A" call. >> >> Note: the systemd service script *already* uses this option. >> >> Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> > > Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> > > However, I have a comment about this key generation: it does not work > when the filesystem is read-only. That was already the case before your > patch, hence my Ack. But we should probably find a way to fix that one > way or the other. > > One option would be to pre-generate the host keys at build-time. There > are pros abd cons with this, though: > > - pros: we can save the public keys and store them in the known_hosts > file of the user. No confirmation at first connection, usefull > during development; > > - cons: the image can't be realisticaly deployed to many targets, > otherwise they would all have the same keys. Bad. > > I don't have a better solution for now... :-/ > > Of course, we can also delegate to the user the reponsibility to ensure > that /etc *is* writable when openssh is installed (which we implicitly > do right now.) I think this issue is not limited to openssh - there's other things that want to occasionally save stuff to /etc, /var, even /root (e.g. gstreamer plugins cache). I suppose that efforts could be made to try to patch/configure these locations to all be in one place (/var ?), but that still assumes a writable directory. So, unless we direct all attempts to save state to a tmpfs, I think it always come back to being the user's responsibility. So for now I'm content to keep openssh as it is, rather than hunt down all the places that might try to write to etc (, var, $HOME, ...). Danomi - > Regards, > Yann E. MORIN. > >> --- >> package/openssh/S50sshd | 34 ++-------------------------------- >> 1 file changed, 2 insertions(+), 32 deletions(-) >> >> diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd >> index d3abf7c..65bdb90 100644 >> --- a/package/openssh/S50sshd >> +++ b/package/openssh/S50sshd >> @@ -6,38 +6,8 @@ >> # Make sure the ssh-keygen progam exists >> [ -f /usr/bin/ssh-keygen ] || exit 0 >> >> -# Check for the SSH1 RSA key >> -if [ ! -f /etc/ssh_host_key ] ; then >> - echo Generating RSA Key... >> - /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N '' >> -fi >> - >> -# Check for the SSH2 RSA key >> -if [ ! -f /etc/ssh_host_rsa_key ] ; then >> - echo Generating RSA Key... >> - /usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N '' >> -fi >> - >> -# Check for the SSH2 DSA key >> -if [ ! -f /etc/ssh_host_dsa_key ] ; then >> - echo Generating DSA Key... >> - echo >> - /usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N '' >> -fi >> - >> -# Check for the SSH2 ECDSA key >> -if [ ! -f /etc/ssh_host_ecdsa_key ]; then >> - echo Generating ECDSA Key... >> - echo >> - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N '' >> -fi >> - >> -# Check for the ed25519 key >> -if [ ! -f /etc/ssh_host_ed25519_key ]; then >> - echo Generating ed25519 Key... >> - echo >> - /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N '' >> -fi >> +# Create any missing keys >> +/usr/bin/ssh-keygen -A >> >> umask 077 >> >> -- >> 1.7.9.5 >> >> _______________________________________________ >> buildroot mailing list >> buildroot at busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot > > -- > .-----------------.--------------------.------------------.--------------------. > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | > | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | > '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-03 13:25 ` Danomi Manchego @ 2014-08-04 8:24 ` Thomas Petazzoni 2014-08-04 9:17 ` Waldemar Brodkorb 2014-08-04 14:28 ` Danomi Manchego 0 siblings, 2 replies; 10+ messages in thread From: Thomas Petazzoni @ 2014-08-04 8:24 UTC (permalink / raw) To: buildroot Dear Danomi Manchego, On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote: > I think this issue is not limited to openssh - there's other things > that want to occasionally save stuff to /etc, /var, even /root (e.g. > gstreamer plugins cache). I suppose that efforts could be made to try > to patch/configure these locations to all be in one place (/var ?), > but that still assumes a writable directory. So, unless we direct all > attempts to save state to a tmpfs, I think it always come back to > being the user's responsibility. > > So for now I'm content to keep openssh as it is, rather than hunt down > all the places that might try to write to etc (, var, $HOME, ...). Buildroot is normally supposed to support a read-only root filesystem, and there are already several things being done to make this possible: * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf * Most of the /var/<foo> directories are symbolic links to /tmp. Only /var/lib is not. * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs is read only. Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-04 8:24 ` Thomas Petazzoni @ 2014-08-04 9:17 ` Waldemar Brodkorb 2014-08-08 20:03 ` Peter Korsgaard 2014-08-04 14:28 ` Danomi Manchego 1 sibling, 1 reply; 10+ messages in thread From: Waldemar Brodkorb @ 2014-08-04 9:17 UTC (permalink / raw) To: buildroot Hi, Thomas Petazzoni wrote, > Dear Danomi Manchego, > > On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote: > > > I think this issue is not limited to openssh - there's other things > > that want to occasionally save stuff to /etc, /var, even /root (e.g. > > gstreamer plugins cache). I suppose that efforts could be made to try > > to patch/configure these locations to all be in one place (/var ?), > > but that still assumes a writable directory. So, unless we direct all > > attempts to save state to a tmpfs, I think it always come back to > > being the user's responsibility. > > > > So for now I'm content to keep openssh as it is, rather than hunt down > > all the places that might try to write to etc (, var, $HOME, ...). > > Buildroot is normally supposed to support a read-only root filesystem, > and there are already several things being done to make this possible: > > * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf > * Most of the /var/<foo> directories are symbolic links to /tmp. > Only /var/lib is not. > * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs > is read only. In OpenADK is use cfgfs - configuration filesystem. It maintains a tmpfs based /etc and let the user commit any changes via a commandline tool to a partition on a block/mtd device. Only changes are compressed via LZO and written to the maximum 16 MB cfgfs partition. http://www.openadk.org/docs/html/manual.html#_cfgfs_configuration_file_system It allows smooth updates without loosing device configuration data. Any interest in porting it to buildroot? best regards Waldemar ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-04 9:17 ` Waldemar Brodkorb @ 2014-08-08 20:03 ` Peter Korsgaard 2014-08-09 15:23 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Peter Korsgaard @ 2014-08-08 20:03 UTC (permalink / raw) To: buildroot >>>>> "Waldemar" == Waldemar Brodkorb <wbx@openadk.org> writes: Hi, > In OpenADK is use cfgfs - configuration filesystem. It maintains > a tmpfs based /etc and let the user commit any changes via a > commandline tool to a partition on a block/mtd device. > Only changes are compressed via LZO and written to the maximum > 16 MB cfgfs partition. > http://www.openadk.org/docs/html/manual.html#_cfgfs_configuration_file_system Heh, I wrote something similar a few years ago: http://git.korsgaard.com/cgi-bin/gitweb.cgi?p=cfg.git;a=summary It simply stored .tar.gz's of the changed files. > It allows smooth updates without loosing device configuration data. > Any interest in porting it to buildroot? We try hard to not enforce policy, so I wouldn't want to make cfgfs a required package, but as an optional one it make sense. Please do. -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-08 20:03 ` Peter Korsgaard @ 2014-08-09 15:23 ` Thomas Petazzoni 0 siblings, 0 replies; 10+ messages in thread From: Thomas Petazzoni @ 2014-08-09 15:23 UTC (permalink / raw) To: buildroot Hello, On Fri, 08 Aug 2014 22:03:31 +0200, Peter Korsgaard wrote: > > It allows smooth updates without loosing device configuration data. > > > Any interest in porting it to buildroot? > > We try hard to not enforce policy, so I wouldn't want to make cfgfs a > required package, but as an optional one it make sense. Please do. Agreed. We clearly don't want people to be forced to use something such as cfgfs, but it would definitely be useful to have that as an option. Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-04 8:24 ` Thomas Petazzoni 2014-08-04 9:17 ` Waldemar Brodkorb @ 2014-08-04 14:28 ` Danomi Manchego 2014-08-05 19:22 ` Baruch Siach 1 sibling, 1 reply; 10+ messages in thread From: Danomi Manchego @ 2014-08-04 14:28 UTC (permalink / raw) To: buildroot Thomas, On Mon, Aug 4, 2014 at 4:24 AM, Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote: > Dear Danomi Manchego, > > On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote: > >> I think this issue is not limited to openssh - there's other things >> that want to occasionally save stuff to /etc, /var, even /root (e.g. >> gstreamer plugins cache). I suppose that efforts could be made to try >> to patch/configure these locations to all be in one place (/var ?), >> but that still assumes a writable directory. So, unless we direct all >> attempts to save state to a tmpfs, I think it always come back to >> being the user's responsibility. >> >> So for now I'm content to keep openssh as it is, rather than hunt down >> all the places that might try to write to etc (, var, $HOME, ...). > > Buildroot is normally supposed to support a read-only root filesystem, > and there are already several things being done to make this possible: > > * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf > * Most of the /var/<foo> directories are symbolic links to /tmp. > Only /var/lib is not. > * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs > is read only. So - should the openssh.mk be making symlinks of all the key files to /tmp/$FILE? That re-introduces the maintenance burden, but I'll make a patch along those lines if there's interest. Danomi - ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-04 14:28 ` Danomi Manchego @ 2014-08-05 19:22 ` Baruch Siach 0 siblings, 0 replies; 10+ messages in thread From: Baruch Siach @ 2014-08-05 19:22 UTC (permalink / raw) To: buildroot Hi Danomi, On Mon, Aug 04, 2014 at 10:28:08AM -0400, Danomi Manchego wrote: > On Mon, Aug 4, 2014 at 4:24 AM, Thomas Petazzoni > <thomas.petazzoni@free-electrons.com> wrote: > > On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote: > >> I think this issue is not limited to openssh - there's other things > >> that want to occasionally save stuff to /etc, /var, even /root (e.g. > >> gstreamer plugins cache). I suppose that efforts could be made to try > >> to patch/configure these locations to all be in one place (/var ?), > >> but that still assumes a writable directory. So, unless we direct all > >> attempts to save state to a tmpfs, I think it always come back to > >> being the user's responsibility. > >> > >> So for now I'm content to keep openssh as it is, rather than hunt down > >> all the places that might try to write to etc (, var, $HOME, ...). > > > > Buildroot is normally supposed to support a read-only root filesystem, > > and there are already several things being done to make this possible: > > > > * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf > > * Most of the /var/<foo> directories are symbolic links to /tmp. > > Only /var/lib is not. > > * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs > > is read only. > > So - should the openssh.mk be making symlinks of all the key files to > /tmp/$FILE? That re-introduces the maintenance burden, but I'll make > a patch along those lines if there's interest. I don't think so. SSH keys should be stored in a writeable AND persistent over reboot location. Storing them under /tmp (ephemeral tmpfs by default) would make the keys regenerate on every boot, which would defeat the whole purpose of having host keys in the first place. baruch -- http://baruch.siach.name/blog/ ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il - ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call 2014-08-03 1:21 [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call Danomi Manchego 2014-08-03 7:37 ` Yann E. MORIN @ 2014-08-03 8:36 ` Thomas Petazzoni 1 sibling, 0 replies; 10+ messages in thread From: Thomas Petazzoni @ 2014-08-03 8:36 UTC (permalink / raw) To: buildroot Dear Danomi Manchego, On Sat, 2 Aug 2014 21:21:19 -0400, Danomi Manchego wrote: > Since openssh-6.0, the ssh-keygen app has supported a -A option, > which creates any missing keys. This frees us of having to add > new ssh-keygen invocations as new key types are introduced. This > also frees us of having to know the default key names and locations. > So this patch replaces all the the init.d script invocations with > a single "ssh-keygen -A" call. > > Note: the systemd service script *already* uses this option. > > Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Applied, thanks! Thomsa -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-08-09 15:23 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-08-03 1:21 [Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call Danomi Manchego 2014-08-03 7:37 ` Yann E. MORIN 2014-08-03 13:25 ` Danomi Manchego 2014-08-04 8:24 ` Thomas Petazzoni 2014-08-04 9:17 ` Waldemar Brodkorb 2014-08-08 20:03 ` Peter Korsgaard 2014-08-09 15:23 ` Thomas Petazzoni 2014-08-04 14:28 ` Danomi Manchego 2014-08-05 19:22 ` Baruch Siach 2014-08-03 8:36 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox