From: Chen Qi <[email protected]> If the rootfs is read-only and the ssh keys are not available at system start-up, the init script will generate ssh keys into /etc/ssh, thus causing a 'read-only file system' error.
In order for Yocto based image to work correctly for read-only rootfs, we use the following logic for openssh. If the rootfs is read-only and there are pre-generated keys under /etc/ssh, we use the pre-generated keys. Note the pre-generated keys are mainly for debugging or development purpose. If the rootfs is read-only and there are no pre-generated keys under /etc/ssh, we use /var/run/ssh as the location for ssh keys. That is, at system boot-up, the generated ssh keys will put into /var/run/ssh. [YOCTO #4887] Signed-off-by: Chen Qi <[email protected]> --- meta/classes/image.bbclass | 12 +++++++++++ .../openssh/openssh-6.2p2/init | 22 +++++++++++++------- meta/recipes-connectivity/openssh/openssh_6.2p2.bb | 9 +++++++- 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index 15fe51a..769cf81 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -264,6 +264,18 @@ read_only_rootfs_hook () { if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh fi + # If we're using openssh and the /etc/ssh directory has no pre-generated keys, + # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly + # and the keys under /var/run/ssh. + if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then + if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then + echo "SYSCONFDIR=/etc/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh + echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh + else + echo "SYSCONFDIR=/var/run/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh + echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh + fi + fi fi } diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init index 6beec84..12fb79b 100644 --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/init +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/init @@ -6,14 +6,22 @@ set -e test -x /usr/sbin/sshd || exit 0 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS if test -f /etc/default/ssh; then . /etc/default/ssh fi +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key +HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key +HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key + check_for_no_start() { # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists - if [ -e /etc/ssh/sshd_not_to_be_run ]; then - echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" + if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then + echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)" exit 0 fi } @@ -32,17 +40,17 @@ check_config() { check_keys() { # create keys if necessary - if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + if [ ! -f $HOST_KEY_RSA ]; then echo " generating ssh RSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa + ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa fi - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then + if [ ! -f $HOST_KEY_ECDSA ]; then echo " generating ssh ECDSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa + ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo " generating ssh DSA key..." - ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa + ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa fi } diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb index ab2eefb..c76f9ac 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb @@ -86,6 +86,13 @@ do_install_append () { install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir} + # Create config files for read-only rootfs + install -d ${D}${sysconfdir}/ssh + install -m 644 ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly + sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly + echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly } ALLOW_EMPTY_${PN} = "1" @@ -94,7 +101,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $ FILES_${PN}-scp = "${bindir}/scp.${BPN}" FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd" -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config" +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly" FILES_${PN}-sftp = "${bindir}/sftp" FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" -- 1.7.9.5 _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
