Re: [OE-core] [pyro][PATCH 04/17] openssh: allow to override OpenSSL HostKeys when read-only-rootfs

Fri, 06 Oct 2017 06:39:04 -0700 

On Fri, 2017-10-06 at 13:12 +0100, André Draszik wrote:
> From: André Draszik <[email protected]>
> 
> With these changes it is possible to have a .bbappend that
> - sets SYSCONFDIR to some persistent storage
> - modifies SYSCONFDIR/sshd_config to use ssh host keys from
>   the (writable) sysconfdir
> 
> Signed-off-by: André Draszik <[email protected]>
> Reviewed-by: Stephane Ayotte <[email protected]>
> Signed-off-by: Ross Burton <[email protected]>
> 
> (cherry picked from commit 106b59d9f96f70d133fa1421091ad280d27a5b6a)
> Signed-off-by: André Draszik <[email protected]>
> ---
>  meta/classes/rootfs-postcommands.bbclass       |  4 +--
>  meta/recipes-connectivity/openssh/openssh/init | 46
> +++++++++++++++++++++++---
>  2 files changed, 44 insertions(+), 6 deletions(-)
> 
> diff --git a/meta/classes/rootfs-postcommands.bbclass
> b/meta/classes/rootfs-postcommands.bbclass
> index 2503d89e28..4b91972ce7 100644
> --- a/meta/classes/rootfs-postcommands.bbclass
> +++ b/meta/classes/rootfs-postcommands.bbclass
> @@ -91,10 +91,10 @@ read_only_rootfs_hook () {
>       # and the keys under /var/run/ssh.
>       if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
>               if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ];
> then
> -                     echo "SYSCONFDIR=/etc/ssh" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
> +                     echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}"
> >> ${IMAGE_ROOTFS}/etc/default/ssh
>                       echo "SSHD_OPTS=" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
>               else
> -                     echo "SYSCONFDIR=/var/run/ssh" >>
> ${IMAGE_ROOTFS}/etc/default/ssh
> +                     echo "SYSCONFDIR=\${SYSCONFDIR:-
> /var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
>                       echo "SSHD_OPTS='-f
> /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
>               fi
>       fi
> diff --git a/meta/recipes-connectivity/openssh/openssh/init
> b/meta/recipes-connectivity/openssh/openssh/init
> index 1f63725cc0..386628afc8 100644
> --- a/meta/recipes-connectivity/openssh/openssh/init
> +++ b/meta/recipes-connectivity/openssh/openssh/init
> @@ -19,10 +19,24 @@ fi
>  [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
>  mkdir -p $SYSCONFDIR
>  
> -HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> -HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> -HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> -HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> +parse_sshd_opts() {
> +    set -- ${SSHD_OPTS} --
> +    sshd_config=/etc/ssh/sshd_config
> +    while true ; do
> +        case "$1" in
> +        -f*) if [ "$1" = "-f" ] ; then
> +                 sshd_config="$2"
> +                 shift
> +             else
> +                 sshd_config="${1#-f}"
> +             fi
> +             shift
> +             ;;
> +        --) shift; break;;
> +        *) shift;;
> +        esac
> +    done
> +}
>  
>  check_for_no_start() {
>      # forget it if we're trying to start, and
> /etc/ssh/sshd_not_to_be_run exists
> @@ -45,21 +59,45 @@ check_config() {
>  }
>  
>  check_keys() {
> +     # parse location of keys
> +     local HOST_KEY_RSA
> +     local HOST_KEY_DSA
> +     local HOST_KEY_ECDSA
> +     local HOST_KEY_ED25519
> +
> +     parse_sshd_opts
> +     HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ |
> tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey
> "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_RSA}" ] &&
> HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
> +     HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ |
> tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey
> "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_DSA}" ] &&
> HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
> +     HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep
> _ecdsa_ | tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey
> "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_ECDSA}" ] &&
> HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
> +     HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep
> _ed25519_ | tail -1 | awk ' { print $2 } ')
> +     [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep
> HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print
> $2 } ')
> +     [ -z "${HOST_KEY_ED25519}" ] &&
> HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
> +
>       # create keys if necessary
>       if [ ! -f $HOST_KEY_RSA ]; then
>               echo "  generating ssh RSA key..."
> +             mkdir -p $(dirname $HOST_KEY_RSA)
>               ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
>       fi
>       if [ ! -f $HOST_KEY_ECDSA ]; then
>               echo "  generating ssh ECDSA key..."
> +             mkdir -p $(dirname $HOST_KEY_ECDSA)
>               ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
>       fi
>       if [ ! -f $HOST_KEY_DSA ]; then
>               echo "  generating ssh DSA key..."
> +             mkdir -p $(dirname $HOST_KEY_DSA)
>               ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
>       fi
>       if [ ! -f $HOST_KEY_ED25519 ]; then
>               echo "  generating ssh ED25519 key..."
> +             mkdir -p $(dirname $HOST_KEY_ED25519)
>               ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
>       fi
>  }
> -- 
> 2.14.2
> 

If you are backporting this, please also backport
ae32558a19ae3b3f175365dc0e10fa74a91e28ce (https://patchwork.openembedde
d.org/series/7509/)

-- 
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to