Michael Prokop wrote:
> Nowadays™ with systemd we use our own ssh.service, which looks like that:
>
>
> https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE
Can we (Debian, not GRML) please just add
ExecStartPre=ssh-keygen -A
to Debian's default ssh.service?
Is there any DOWNSIDE to doing that?
It appears to be fully idempotent.
This doesn't work because it runs after sshd -t (which fails if keys don't
exist):
$ systemctl edit ssh
[Service]
ExecStartPre=ssh-keygen -A
Instead you have to do this, which is a bit yukky:
$ systemctl edit ssh
[Service]
# Remove upstream's "sshd -t"
ExecStartPre=
ExecStartPre=ssh-keygen -A
# Re-add "sshd -t" AFTER ssh-keygen.
ExecStartPre=sshd -t
Or if you are scared the "sshd -t" copy-paste might get out of sync, you have
to do a whole separate unit:
$ systemctl edit ssh-keygen --force --full
[Service]
Type=oneshot
ExecStart=ssh-keygen -A
[Install]
RequiredBy=ssh.service
[Unit]
Before=ssh.service
$ systemctl enable ssh-keygen
Note that Debian Live images still have to remove the keys generated
at image build time, i.e. something like this:
mmdebstrap --include=ssh '--customize-hook=rm -fv
$1/etc/ssh/ssh_host_*_key*'
It is worth supporting opt-out of install-time host key generation
(i.e. a new preseed option, checked by openssh-server.postinst)?
What I would IDEALLY like is the same behaviour as tinysshd and dropbear,
which is to defer host key generation until an actual SSH connection needs it.
For Debian Live images, this not only simplifies setup,
it also means there's more likely to be a good source of entropy.
(I guess that's really a separate ticket to file upstream, though.)
