From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-f66.google.com (mail-it0-f66.google.com [209.85.214.66]) by mail.openembedded.org (Postfix) with ESMTP id 18B5377FDE for ; Thu, 29 Jun 2017 12:30:28 +0000 (UTC) Received: by mail-it0-f66.google.com with SMTP id v193so890505itc.2 for ; Thu, 29 Jun 2017 05:30:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=qJ3dxQAGem2QdL3q+gf9cwVmN9cUeX979zDHVrmZAsc=; b=M8hfaHoO579XON+UFBfwmQ8ELpsBxqmGOt5Oq6oiW9pFLqUuRgC/OJhvIjX/GHLcE+ +JSJskCTsPyG+LIFKk+jKOHP6jowe8bwzZPwuEZj65o0eugFOWzvBaDVJjl8njMmpS0O vywHxzKCr+6wDFRejYFM5JoCfnVcbibSlCRBtWBiql+JaA5fKB1ifjTpuAfqGjkTm7wW WKKQrb4XiLFklH7mX9cB4o8HvUjgT5uDM9cZeb2RebMeHG1y78h6YEHJ5glj3yLAvaeL YaQmjvClx/UUzf5umSiuIv/cFp9Wa0xtm+jRMVycg3pRt0qxJR0yXbHZIbj3J6p554/1 yy2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=qJ3dxQAGem2QdL3q+gf9cwVmN9cUeX979zDHVrmZAsc=; b=LJGnJq0LKlI0gpknsd4G0ZyPLiiTrhuXrdqIUQjQXaMgZRtUpYfl1OvoJ9DjD6tIsj wXOsUiSmVUkLuZH3JsCnGd0e+wnq9oKfhVcFdN1XnyijNhw1qe31ZRB5OEcdE8E6/SUm V2t93f6Y2YM3m8qmziznCr3EfBRrqvQBQUdmSD6hEFXNcoPzy+n8imgeDX1fO0bY4nu/ 0Zi1HjEriFv6NhmPPeW5qe0qUl8RTmTL5z50hnnW2O3FF5EDw9lW7rr0/y91bhj46UFs EWC6NQMqTWF3rvFM/7WZkQRruJXW3JpnwDFh5Lb4jgBkDSMJTn1VCx0gz4XEhjznCe8J gOVQ== X-Gm-Message-State: AKS2vOxaFzElCI3rspAELEFjOZVNjfKmNEbLE+fRLatAGrV8lf1+0Oy5 5qPfcz+X6CgTeA== X-Received: by 10.36.84.144 with SMTP id t138mr12877687ita.76.1498739429662; Thu, 29 Jun 2017 05:30:29 -0700 (PDT) Received: from localhost.localdomain ([2605:a601:a83:3700:10fb:b4c1:2c33:798c]) by smtp.gmail.com with ESMTPSA id e77sm4354032itd.18.2017.06.29.05.30.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Jun 2017 05:30:28 -0700 (PDT) From: Joshua Watt X-Google-Original-From: Joshua Watt To: adraszik@tycoint.com, openembedded-core@lists.openembedded.org Date: Thu, 29 Jun 2017 07:30:22 -0500 Message-Id: <20170629123022.4580-1-JPEWhacker@gmail.com> X-Mailer: git-send-email 2.9.4 Subject: [PATCH] openssh: Fix key generation with systemd X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2017 12:30:29 -0000 106b59d9 broke SSH host key generation when systemd and a read-only root file system are in use because there isn't a way for systemd to get the optional weak assigment of SYSCONFDIR from /etc/default/sshd and still provide a default value if it is not specified. Instead, move the logic for determining if keys need to be created to a helper script that both the SysV init script and the systemd unit file can reference. This does mean that the systemd unit file can't check for file existence to know if it should start the service, but it wasn't able to do that correctly anyway anymore. This should be a problem since the serivce is only run once per power cycle by systemd, and should exit quickly if the keys already exist Signed-off-by: Joshua Watt --- meta/recipes-connectivity/openssh/openssh/init | 69 +--------------------- .../openssh/openssh/sshd_check_keys | 64 ++++++++++++++++++++ .../openssh/openssh/sshdgenkeys.service | 16 +---- meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 7 +++ 4 files changed, 75 insertions(+), 81 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_check_keys diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init index 386628a..34ba0f8 100644 --- a/meta/recipes-connectivity/openssh/openssh/init +++ b/meta/recipes-connectivity/openssh/openssh/init @@ -19,25 +19,6 @@ fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR -parse_sshd_opts() { - set -- ${SSHD_OPTS} -- - sshd_config=/etc/ssh/sshd_config - while true ; do - case "$1" in - -f*) if [ "$1" = "-f" ] ; then - sshd_config="$2" - shift - else - sshd_config="${1#-f}" - fi - shift - ;; - --) shift; break;; - *) shift;; - esac - done -} - check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then @@ -58,57 +39,13 @@ check_config() { /usr/sbin/sshd -t $SSHD_OPTS || exit 1 } -check_keys() { - # parse location of keys - local HOST_KEY_RSA - local HOST_KEY_DSA - local HOST_KEY_ECDSA - local HOST_KEY_ED25519 - - parse_sshd_opts - HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key - HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key - HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key - HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') - [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key - - # create keys if necessary - if [ ! -f $HOST_KEY_RSA ]; then - echo " generating ssh RSA key..." - mkdir -p $(dirname $HOST_KEY_RSA) - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa - fi - if [ ! -f $HOST_KEY_ECDSA ]; then - echo " generating ssh ECDSA key..." - mkdir -p $(dirname $HOST_KEY_ECDSA) - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa - fi - if [ ! -f $HOST_KEY_DSA ]; then - echo " generating ssh DSA key..." - mkdir -p $(dirname $HOST_KEY_DSA) - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa - fi - if [ ! -f $HOST_KEY_ED25519 ]; then - echo " generating ssh ED25519 key..." - mkdir -p $(dirname $HOST_KEY_ED25519) - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 - fi -} - export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" case "$1" in start) check_for_no_start echo "Starting OpenBSD Secure Shell server: sshd" - check_keys + @LIBEXECDIR@/sshd_check_keys check_privsep_dir start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS echo "done." @@ -121,7 +58,7 @@ case "$1" in reload|force-reload) check_for_no_start - check_keys + @LIBEXECDIR@/sshd_check_keys check_config echo -n "Reloading OpenBSD Secure Shell server's configuration" start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd @@ -129,7 +66,7 @@ case "$1" in ;; restart) - check_keys + @LIBEXECDIR@/sshd_check_keys check_config echo -n "Restarting OpenBSD Secure Shell server: sshd" start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 0000000..f5bba53 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,64 @@ +#! /bin/sh + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +# parse location of keys +HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key +HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key +HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key +HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ') +[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key + +# create keys if necessary +if [ ! -f $HOST_KEY_RSA ]; then + echo " generating ssh RSA key..." + mkdir -p $(dirname $HOST_KEY_RSA) + ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa +fi +if [ ! -f $HOST_KEY_ECDSA ]; then + echo " generating ssh ECDSA key..." + mkdir -p $(dirname $HOST_KEY_ECDSA) + ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa +fi +if [ ! -f $HOST_KEY_DSA ]; then + echo " generating ssh DSA key..." + mkdir -p $(dirname $HOST_KEY_DSA) + ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa +fi +if [ ! -f $HOST_KEY_ED25519 ]; then + echo " generating ssh ED25519 key..." + mkdir -p $(dirname $HOST_KEY_ED25519) + ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 +fi + diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 148e6ad..603c337 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -1,22 +1,8 @@ [Unit] Description=OpenSSH Key Generation RequiresMountsFor=/var /run -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key [Service] -Environment="SYSCONFDIR=/etc/ssh" -EnvironmentFile=-/etc/default/ssh -ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519 +ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb index 7bd313b..dd65642 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb @@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \ file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ + file://sshd_check_keys \ " PAM_SRC_URI = "file://sshd" @@ -118,7 +119,13 @@ do_install_append () { sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ -e 's,@BINDIR@,${bindir},g' \ + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service + + sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${sysconfdir}/init.d/sshd + + install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys } do_install_ptest () { -- 2.9.4