"Matthew Bullock via lists.openembedded.org" <[email protected]> writes:
> Allow selection of host key types used by openssh via PACKAGECONFIG. > Any combination of hostkey-rsa, hostkey-ecdsa and hostkey-ed25519 can be > specified. Default to just generating ecdsa keys. > > The current default generates all three keys. This can take a > significant amount of time on first boot. Having all three keys does not > significantly increase compatability. Also RSA keys are being deprecated > as they are no longer considered secure. Using just an ecdsa key reduces > key generation time by roughly 75%. > > Signed-off-by: Matthew Bullock <[email protected]> > --- > .../openssh/openssh_9.7p1.bb | 29 ++++++++++++++++--- > 1 file changed, 25 insertions(+), 4 deletions(-) > > diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > index ab453f7bbe..0bc14c5553 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb > @@ -56,7 +56,7 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', > 'systemd', 'systemd', '', d) > > # systemd-sshd-socket-mode means installing sshd.socket > # and systemd-sshd-service-mode corresponding to sshd.service > -PACKAGECONFIG ??= "systemd-sshd-socket-mode" > +PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa" > PACKAGECONFIG[fido2] = > "--with-security-key-builtin,--disable-security-key,libfido2" > PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" > PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" > @@ -64,6 +64,9 @@ PACKAGECONFIG[libedit] = > "--with-libedit,--without-libedit,libedit" > PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" > PACKAGECONFIG[systemd-sshd-socket-mode] = "" > PACKAGECONFIG[systemd-sshd-service-mode] = "" > +PACKAGECONFIG[hostkey-rsa] = "" > +PACKAGECONFIG[hostkey-ecdsa] = "" > +PACKAGECONFIG[hostkey-ed25519] = "" > > EXTRA_AUTORECONF += "--exclude=aclocal" > > @@ -127,13 +130,31 @@ do_install:append () { > install -m 644 ${UNPACKDIR}/volatiles.99_sshd > ${D}/${sysconfdir}/default/volatiles/99_sshd > install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir} > > + # Enable specific ssh host keys > + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then > + echo "HostKey /etc/ssh/ssh_host_rsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config > + fi > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then > + echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config > + fi > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; > then > + echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> > ${D}${sysconfdir}/ssh/sshd_config > + fi > + > # Create config files for read-only rootfs > install -d ${D}${sysconfdir}/ssh > install -m 644 ${D}${sysconfdir}/ssh/sshd_config > ${D}${sysconfdir}/ssh/sshd_config_readonly > sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly > - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > - echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then > + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > + fi > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then > + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > + fi > + if > ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; > then > + echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> > ${D}${sysconfdir}/ssh/sshd_config_readonly > + fi This will break our setup. We rely on the sshd_config including the Include /etc/ssh/sshd_config.d/*.conf directive and put a hostkeys.conf file in there, specifying the host key(s) types and paths we need (we have a readonly rootfs, but do have a place for persistent and per-machine stuff like this, so we use neither of the /etc or /var/run paths). I suppose we can remove hostkey-ecdsa and any other hostkey-* that may appear in PACKAGECONFIG in the future. But I think others may, for example, have a .bbappend where they supply a whole alternative sshd_config with similar explicit HostKey settings, and this would also break for them. So perhaps this could/should be guarded by 'grep -i ^hostkey' not finding anything in sshd_config or sshd_config.d/*.conf ? Rasmus
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201423): https://lists.openembedded.org/g/openembedded-core/message/201423 Mute This Topic: https://lists.openembedded.org/mt/106908239/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
