Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > How can openssh.postinst be disabled from within the rule files? > --- > rules/openssh.in | 14 ++ > rules/openssh.make | 2 ++ > 2 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/rules/openssh.in b/rules/openssh.in > index 09f5c..f9d1affbd 100644 > --- a/rules/openssh.in > +++ b/rules/openssh.in > @@ -6,10 +6,10 @@ menuconfig OPENSSH > select OPENSSL > select LIBC_CRYPT > select LIBC_UTIL > - select RC_ONCE if OPENSSH_SSHD && RUNTIME > + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME > select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT > select LIBSELINUX if GLOBAL_SELINUX > - select OPENSSH_KEYGEN if OPENSSH_SSHD > + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS > prompt "openssh " > help > secure shell client/server, an rlogin/rsh/rcp replacement > @@ -40,15 +40,21 @@ config OPENSSH_SSHD > config OPENSSH_SSHD_STARTSCRIPT > bool > default y > - depends on OPENSSH_SSHD > + depends on OPENSSH_SSHD && INITMETHOD_BBINIT unrelated. > prompt "install /etc/init.d/openssh" > > config OPENSSH_SSHD_SYSTEMD_UNIT > bool > default y > - depends on OPENSSH_SSHD && SYSTEMD > + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD this as well. Michael > prompt "install systemd unit files for sshd" > > +config OPENSSH_SSHD_GENKEYS > + bool > + default y > + depends on OPENSSH_SSHD > + prompt "generate sshd host keys at first boot" > + > config OPENSSH_SCP > bool "scp" > help > diff --git a/rules/openssh.make b/rules/openssh.make > index cae04487f..0da2f23cd 100644 > --- a/rules/openssh.make > +++ b/rules/openssh.make > @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD > /etc/ssh/moduli) > @$(call install_copy, openssh, 0, 0, 0755, -, \ > /usr/sbin/sshd) > +ifdef OPENSSH_SSHD_GENKEYS > @$(call install_alternative, openssh, 0, 0, 0755, > /etc/rc.once.d/openssh) > endif > +endif > > ifdef PTXCONF_INITMETHOD_BBINIT > ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT > -- > 2.29.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de > ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > I don't understand why you want to disable this. The SSH server will not > > > start without host keys. Or do you want to install a static version of > > > the host keys generated at build time? > > > > Yes, keys are static, generated at build time. Root filesystem is > > read-only. > > > > > If so, there should be an option for this. But for now, in my opinion, > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. > > > > As this is easy to solve at BSP level I never thought it could > > be a thing :) > > OK, but at least I would mention it in the kconfig help text. The Ack. > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > install_alternative if this option is disabled. No. Shared ssh server keys are a bad idea. That's not something I want to merge upstream. But there are other use-cases to not use rc-once, e.g. if the server keys are generated during provisioning. And not selecting rc-once in this case makes sense, so this is acceptable im general. Michael ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > The very same could be achieved with symlink in your BSP: > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > I don't understand why you want to disable this. The SSH server will not > > start without host keys. Or do you want to install a static version of > > the host keys generated at build time? > > Yes, keys are static, generated at build time. Root filesystem is > read-only. > > > If so, there should be an option for this. But for now, in my opinion, > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. > > As this is easy to solve at BSP level I never thought it could > be a thing :) OK, but at least I would mention it in the kconfig help text. The openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via install_alternative if this option is disabled. - Roland -- Roland Hieber, Pengutronix e.K. | r.hie...@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany| Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > How can openssh.postinst be disabled from within the rule files? > > > > The very same could be achieved with symlink in your BSP: > > projectroot/etc/rc.once.d/openssh -> /dev/null > > I don't understand why you want to disable this. The SSH server will not > start without host keys. Or do you want to install a static version of > the host keys generated at build time? Yes, keys are static, generated at build time. Root filesystem is read-only. > If so, there should be an option for this. But for now, in my opinion, > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. As this is easy to solve at BSP level I never thought it could be a thing :) ladis ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > How can openssh.postinst be disabled from within the rule files? > > The very same could be achieved with symlink in your BSP: > projectroot/etc/rc.once.d/openssh -> /dev/null I don't understand why you want to disable this. The SSH server will not start without host keys. Or do you want to install a static version of the host keys generated at build time? If so, there should be an option for this. But for now, in my opinion, disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. - Roland > > > --- > > rules/openssh.in | 14 ++ > > rules/openssh.make | 2 ++ > > 2 files changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/rules/openssh.in b/rules/openssh.in > > index 09f5c..f9d1affbd 100644 > > --- a/rules/openssh.in > > +++ b/rules/openssh.in > > @@ -6,10 +6,10 @@ menuconfig OPENSSH > > select OPENSSL > > select LIBC_CRYPT > > select LIBC_UTIL > > - select RC_ONCE if OPENSSH_SSHD && RUNTIME > > + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME > > select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT > > select LIBSELINUX if GLOBAL_SELINUX > > - select OPENSSH_KEYGEN if OPENSSH_SSHD > > + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS > > prompt "openssh " > > help > > secure shell client/server, an rlogin/rsh/rcp replacement > > @@ -40,15 +40,21 @@ config OPENSSH_SSHD > > config OPENSSH_SSHD_STARTSCRIPT > > bool > > default y > > - depends on OPENSSH_SSHD > > + depends on OPENSSH_SSHD && INITMETHOD_BBINIT > > prompt "install /etc/init.d/openssh" > > > > config OPENSSH_SSHD_SYSTEMD_UNIT > > bool > > default y > > - depends on OPENSSH_SSHD && SYSTEMD > > + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD > > prompt "install systemd unit files for sshd" > > > > +config OPENSSH_SSHD_GENKEYS > > + bool > > + default y > > + depends on OPENSSH_SSHD > > + prompt "generate sshd host keys at first boot" > > + > > config OPENSSH_SCP > > bool "scp" > > help > > diff --git a/rules/openssh.make b/rules/openssh.make > > index cae04487f..0da2f23cd 100644 > > --- a/rules/openssh.make > > +++ b/rules/openssh.make > > @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD > > /etc/ssh/moduli) > > @$(call install_copy, openssh, 0, 0, 0755, -, \ > > /usr/sbin/sshd) > > +ifdef OPENSSH_SSHD_GENKEYS > > @$(call install_alternative, openssh, 0, 0, 0755, > > /etc/rc.once.d/openssh) > > endif > > +endif > > > > ifdef PTXCONF_INITMETHOD_BBINIT > > ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT > > -- > > 2.29.2 > > > > > > ___ > > ptxdist mailing list > > ptxdist@pengutronix.de > > To unsubscribe, send a mail with subject "unsubscribe" to > > ptxdist-requ...@pengutronix.de > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de > -- Roland Hieber, Pengutronix e.K. | r.hie...@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany| Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > How can openssh.postinst be disabled from within the rule files? The very same could be achieved with symlink in your BSP: projectroot/etc/rc.once.d/openssh -> /dev/null > --- > rules/openssh.in | 14 ++ > rules/openssh.make | 2 ++ > 2 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/rules/openssh.in b/rules/openssh.in > index 09f5c..f9d1affbd 100644 > --- a/rules/openssh.in > +++ b/rules/openssh.in > @@ -6,10 +6,10 @@ menuconfig OPENSSH > select OPENSSL > select LIBC_CRYPT > select LIBC_UTIL > - select RC_ONCE if OPENSSH_SSHD && RUNTIME > + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME > select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT > select LIBSELINUX if GLOBAL_SELINUX > - select OPENSSH_KEYGEN if OPENSSH_SSHD > + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS > prompt "openssh " > help > secure shell client/server, an rlogin/rsh/rcp replacement > @@ -40,15 +40,21 @@ config OPENSSH_SSHD > config OPENSSH_SSHD_STARTSCRIPT > bool > default y > - depends on OPENSSH_SSHD > + depends on OPENSSH_SSHD && INITMETHOD_BBINIT > prompt "install /etc/init.d/openssh" > > config OPENSSH_SSHD_SYSTEMD_UNIT > bool > default y > - depends on OPENSSH_SSHD && SYSTEMD > + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD > prompt "install systemd unit files for sshd" > > +config OPENSSH_SSHD_GENKEYS > + bool > + default y > + depends on OPENSSH_SSHD > + prompt "generate sshd host keys at first boot" > + > config OPENSSH_SCP > bool "scp" > help > diff --git a/rules/openssh.make b/rules/openssh.make > index cae04487f..0da2f23cd 100644 > --- a/rules/openssh.make > +++ b/rules/openssh.make > @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD > /etc/ssh/moduli) > @$(call install_copy, openssh, 0, 0, 0755, -, \ > /usr/sbin/sshd) > +ifdef OPENSSH_SSHD_GENKEYS > @$(call install_alternative, openssh, 0, 0, 0755, > /etc/rc.once.d/openssh) > endif > +endif > > ifdef PTXCONF_INITMETHOD_BBINIT > ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT > -- > 2.29.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de