From: Ian Arkver <ian.arkver.dev@gmail.com>
To: Joshua Watt <jpewhacker@gmail.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [meta-oe][PATCH v3] openssh: Atomically generate host keys
Date: Thu, 25 May 2017 10:21:10 +0100 [thread overview]
Message-ID: <7a69047b-31ec-c7e8-5d03-b472f91500f8@gmail.com> (raw)
In-Reply-To: <20170525021717.394-1-JPEWhacker@gmail.com>
On 25/05/17 03:17, Joshua Watt wrote:
> Generating the host keys atomically prevents power interruptions during
> the first boot from leaving the key files incomplete, which often
> prevents users from being able to ssh into the device.
> ---
> meta/recipes-connectivity/openssh/openssh/init | 21 +++----------
> .../openssh/openssh/sshd-check-key | 36 ++++++++++++++++++++++
> .../openssh/openssh/sshdgenkeys.service | 24 +++++++--------
> meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 8 +++++
> 4 files changed, 60 insertions(+), 29 deletions(-)
> create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd-check-key
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
> index 1f63725..22124a9 100644
> --- a/meta/recipes-connectivity/openssh/openssh/init
> +++ b/meta/recipes-connectivity/openssh/openssh/init
> @@ -45,23 +45,10 @@ check_config() {
> }
>
> check_keys() {
> - # create keys if necessary
> - if [ ! -f $HOST_KEY_RSA ]; then
> - echo " generating ssh RSA key..."
> - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
> - fi
> - if [ ! -f $HOST_KEY_ECDSA ]; then
> - echo " generating ssh ECDSA key..."
> - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
> - fi
> - if [ ! -f $HOST_KEY_DSA ]; then
> - echo " generating ssh DSA key..."
> - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
> - fi
> - if [ ! -f $HOST_KEY_ED25519 ]; then
> - echo " generating ssh ED25519 key..."
> - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
> - fi
> + @LIBEXECDIR@/sshd-check-key $HOST_KEY_RSA rsa
> + @LIBEXECDIR@/sshd-check-key $HOST_KEY_ECDSA ecdsa
> + @LIBEXECDIR@/sshd-check-key $HOST_KEY_DSA dsa
> + @LIBEXECDIR@/sshd-check-key $HOST_KEY_ED25519 ed25519
> }
>
> export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd-check-key b/meta/recipes-connectivity/openssh/openssh/sshd-check-key
> new file mode 100644
> index 0000000..d2613af
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd-check-key
> @@ -0,0 +1,36 @@
> +#! /bin/sh
> +set -e
> +
> +NAME="$1"
> +TYPE="$2"
> +
> +if [ -z "$NAME" ] || [ -z "$TYPE" ]; then
> + echo "Usage: $0 NAME TYPE"
> + exit 1;
> +fi
> +
> +DIR="$(dirname "$NAME")"
> +
> +if [ ! -f "$NAME" ]; then
> + echo " generating ssh $TYPE key..."
> + ssh-keygen -q -f "${NAME}.tmp" -N '' -t $TYPE
> +
> + # Move (Atomically rename) files
> + mv -f "${NAME}.tmp.pub" "${NAME}.pub"
> +
> + # This sync does double duty: Ensuring that the data in the temporary
> + # private key file is on disk before the rename, and ensuring that the
> + # public key rename is completed before the private key rename, since we
> + # switch on the existence of the private key to trigger key generation.
> + # This does mean it is possible for the public key to exist, but be garbage
> + # but this is OK because in that case the private key won't exist and the
> + # keys will be regenerated.
> + #
> + # In the event that sync understands arguments that limit what it tries to
> + # fsync(), we provided them. If it does not, it will simply call sync()
> + # which is just as well
> + sync "${NAME}.pub" "$DIR" "${NAME}.tmp"
> +
> + mv -f "${NAME}.tmp" "${NAME}"
You previously mentioned moving the third, most optional sync to a
single sync at the end, but I don't see it at all now. Should there be
another sync "$DIR" somewhere in the init script or service file?
Regards,
Ian
> +fi
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> index 148e6ad..5d08b53 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> @@ -1,22 +1,22 @@
> [Unit]
> Description=OpenSSH Key Generation
> RequiresMountsFor=/var /run
> -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
> -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
> +ConditionPathExists=|!/var/run/ssh/ssh_host_rsa_key
> +ConditionPathExists=|!/var/run/ssh/ssh_host_dsa_key
> +ConditionPathExists=|!/var/run/ssh/ssh_host_ecdsa_key
> +ConditionPathExists=|!/var/run/ssh/ssh_host_ed25519_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
>
> [Service]
> Environment="SYSCONFDIR=/etc/ssh"
> EnvironmentFile=-/etc/default/ssh
> ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
> -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa
> -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa
> -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
> -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
> +ExecStart=@LIBEXECDIR@/sshd-check-key ${SYSCONFDIR}/ssh_host_rsa_key rsa
> +ExecStart=@LIBEXECDIR@/sshd-check-key ${SYSCONFDIR}/ssh_host_dsa_key dsa
> +ExecStart=@LIBEXECDIR@/sshd-check-key ${SYSCONFDIR}/ssh_host_ecdsa_key ecdsa
> +ExecStart=@LIBEXECDIR@/sshd-check-key ${SYSCONFDIR}/ssh_host_ed25519_key ed25519
> Type=oneshot
> RemainAfterExit=yes
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> index 5b96745..ede8823 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> @@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
> file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
> file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
> file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
> + file://sshd-check-key \
> "
>
> PAM_SRC_URI = "file://sshd"
> @@ -124,7 +125,14 @@ do_install_append () {
> sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
> -e 's,@SBINDIR@,${sbindir},g' \
> -e 's,@BINDIR@,${bindir},g' \
> + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
> ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
> +
> + sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
> + ${D}${sysconfdir}/init.d/sshd
> +
> + install -d ${D}${libexecdir}/${BPN}
> + install -m 0755 ${WORKDIR}/sshd-check-key ${D}${libexecdir}/${BPN}
> }
>
> do_install_ptest () {
>
next prev parent reply other threads:[~2017-05-25 9:21 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-07 1:33 [PATCH] openssh: Atomically generate host keys Joshua Watt
2017-05-09 2:24 ` (No subject) Joshua Watt
2017-05-09 2:24 ` [PATCH v2] openssh: Atomically generate host keys Joshua Watt
2017-05-22 13:08 ` [PATCH] " Joshua Watt
2017-05-23 14:37 ` Burton, Ross
2017-05-23 15:29 ` Joshua Watt
2017-05-23 17:23 ` Randy Witt
2017-05-23 17:56 ` Joshua Watt
2017-05-23 19:56 ` Joshua Watt
2017-05-24 10:03 ` Peter Kjellerstedt
2017-05-24 13:38 ` Joshua Watt
2017-05-25 2:17 ` [meta-oe][PATCH v3] " Joshua Watt
2017-05-25 9:21 ` Ian Arkver [this message]
2017-05-26 1:52 ` [meta-oe][PATCH v4] " Joshua Watt
2017-05-26 18:02 ` Andre McCurdy
2017-05-26 1:54 ` [meta-oe][PATCH v5] " Joshua Watt
2017-05-26 13:33 ` Leonardo Sandoval
2017-05-26 13:33 ` Joshua Watt
2017-05-31 2:34 ` [PATCH v6] " Joshua Watt
2017-05-31 2:45 ` Otavio Salvador
2017-06-01 3:05 ` [PATCH v7] " Joshua Watt
2017-06-07 3:30 ` Joshua Watt
2017-06-12 12:25 ` Joshua Watt
2017-06-12 12:25 ` Joshua Watt
2017-06-14 3:31 ` [PATCH v8] " Joshua Watt
2017-06-14 3:38 ` Joshua Watt
2017-06-14 3:55 ` [PATCH v9] " Joshua Watt
2017-07-13 12:15 ` [PATCH v10] " Joshua Watt
2017-09-28 13:40 ` [PATCH v11] " Joshua Watt
2017-06-20 8:52 ` [PATCH] " Ulrich Ölmann
2017-06-20 14:07 ` Joshua Watt
2017-05-25 2:31 ` ✗ patchtest: failure for openssh: Atomically generate host keys (rev3) Patchwork
2017-05-26 2:01 ` ✗ patchtest: failure for openssh: Atomically generate host keys (rev4) Patchwork
2017-07-13 12:31 ` ✗ patchtest: failure for openssh: Atomically generate host keys (rev10) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a69047b-31ec-c7e8-5d03-b472f91500f8@gmail.com \
--to=ian.arkver.dev@gmail.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox