Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
On Mon, Sep 28, 2020 at 8:39 AM Mark Hatle
wrote:
>
> I'm worried about this from a product security perspective.
>
> I think this is very valid case for an autobuilder/autotest infrastructure,
> however if this ends up in a release product it will lead to huge problems.
>
> Is there a way we can ensure this can only be used for the
> autobuilder/autotest
> infrastructure, and never provided by accident in an image. (If a user
> decided
> they must do something like this, we can't stop them -- but we should allow it
> to happene either by accident or make it look like it's good practice.)
>
its in same class as debug-tweaks in IMAGE_FEATURES, so if we can tie
it to debug tweaks we should be offering a good
balanced solution.
> --Mark
>
> On 9/23/20 10:05 AM, Richard Purdie wrote:
> > Host keys are getting bigger and taking an ever increasing amount of time
> > to generate. Whilst we do need to test that works, we don't need to test
> > it in every image. Add a recipe which can be added to images with
> > pre-generated keys, allowing us to speed up tests on the autobuilder
> > where it makes sense to.
> >
> > Signed-off-by: Richard Purdie
> > ---
> > .../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes
> > .../openssh/ssh_host_ecdsa_key| 9 +
> > .../openssh/ssh_host_ecdsa_key.pub| 1 +
> > .../openssh/ssh_host_ed25519_key | 7
> > .../openssh/ssh_host_ed25519_key.pub | 1 +
> > .../openssh/ssh_host_rsa_key | 38 ++
> > .../openssh/ssh_host_rsa_key.pub | 1 +
> > .../ssh-pregen-hostkeys_1.0.bb| 19 +
> > 8 files changed, 76 insertions(+)
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub
> > create mode 100644
> > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
> >
> > diff --git
> > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
> >
> > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
> > new file mode 100644
> > index
> > ..30443c94388530f82308f41517839c8932026eec
> > GIT binary patch
> > literal 805
> > zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9o > z#>e=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX
> > ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs
> > zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj > zr|?tGWY(1vcP3@X_D<(~^_D`?%NDne77p}AN|!y909XYC`_sATu*WrQf(gmixEp2-
> > z>$8a#0)WG > zP#Ae@xR_Z!^$9gP{n3QwBhy^nPrHKA9b%3xtLoGy16TJlVr!|nt%cHREwUHDBZ)#&
> > zIuv0};sB&0b(1XUZ=R#^gKw)AJ->viB+c > z@@ZGZ%D<}4p}ve0)Xwh;edfrl=)p~)sWosd`Y;+BqJ~l)2TH)09_+3
> > zZ4`?ekchIl_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg > zbV^FhSAdt5 > z)g%(nv9r;~j;->7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)Gfn > zS-L{YkFoPvZ(fHzZ3tgU=!A>JlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF
> > zuVc{w004mi|Ec > zN-Z{|f9K{)ifw^eNk}eKbdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP&
> > jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR&
> >
> > literal 0
> > HcmV?d1
> >
> > diff --git
> > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> >
> > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> > new file mode 100644
> > index 000..86c2104ec8a
> > --- /dev/null
> > +++
> > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> > @@ -0,0 +1,9 @@
> > +-BEGIN OPENSSH PRIVATE KEY-
> > +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS
> > +1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF
> > +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN
> > +uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30
> > +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E
> > +cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw
> > +cwECAw==
> > +-END OPENSSH PRIVATE KEY-
> > diff --git
> >
Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
Em seg., 28 de set. de 2020 às 12:39, Mark Hatle escreveu: > > I'm worried about this from a product security perspective. > > I think this is very valid case for an autobuilder/autotest infrastructure, > however if this ends up in a release product it will lead to huge problems. > > Is there a way we can ensure this can only be used for the > autobuilder/autotest > infrastructure, and never provided by accident in an image. (If a user > decided > they must do something like this, we can't stop them -- but we should allow it > to happene either by accident or make it look like it's good practice.) Maybe a YP_AB_SPECIFIC variable variable which if not set a python function could skip the recipe? -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142859): https://lists.openembedded.org/g/openembedded-core/message/142859 Mute This Topic: https://lists.openembedded.org/mt/77036961/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
I'm worried about this from a product security perspective.
I think this is very valid case for an autobuilder/autotest infrastructure,
however if this ends up in a release product it will lead to huge problems.
Is there a way we can ensure this can only be used for the autobuilder/autotest
infrastructure, and never provided by accident in an image. (If a user decided
they must do something like this, we can't stop them -- but we should allow it
to happene either by accident or make it look like it's good practice.)
--Mark
On 9/23/20 10:05 AM, Richard Purdie wrote:
> Host keys are getting bigger and taking an ever increasing amount of time
> to generate. Whilst we do need to test that works, we don't need to test
> it in every image. Add a recipe which can be added to images with
> pre-generated keys, allowing us to speed up tests on the autobuilder
> where it makes sense to.
>
> Signed-off-by: Richard Purdie
> ---
> .../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes
> .../openssh/ssh_host_ecdsa_key| 9 +
> .../openssh/ssh_host_ecdsa_key.pub| 1 +
> .../openssh/ssh_host_ed25519_key | 7
> .../openssh/ssh_host_ed25519_key.pub | 1 +
> .../openssh/ssh_host_rsa_key | 38 ++
> .../openssh/ssh_host_rsa_key.pub | 1 +
> .../ssh-pregen-hostkeys_1.0.bb| 19 +
> 8 files changed, 76 insertions(+)
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub
> create mode 100644
> meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
>
> diff --git
> a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
>
> b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
> new file mode 100644
> index
> ..30443c94388530f82308f41517839c8932026eec
> GIT binary patch
> literal 805
> zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9o z#>e=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX
> ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs
> zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj zr|?tGWY(1vcP3@X_D<(~^_D`?%NDne77p}AN|!y909XYC`_sATu*WrQf(gmixEp2-
> z>$8a#0)WG zP#Ae@xR_Z!^$9gP{n3QwBhy^nPrHKA9b%3xtLoGy16TJlVr!|nt%cHREwUHDBZ)#&
> zIuv0};sB&0b(1XUZ=R#^gKw)AJ->viB+c z@@ZGZ%D<}4p}ve0)Xwh;edfrl=)p~)sWosd`Y;+BqJ~l)2TH)09_+3
> zZ4`?ekchIl_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg zbV^FhSAdt5 z)g%(nv9r;~j;->7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)Gfn zS-L{YkFoPvZ(fHzZ3tgU=!A>JlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF
> zuVc{w004mi|Ec zN-Z{|f9K{)ifw^eNk}eKbdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP&
> jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR&
>
> literal 0
> HcmV?d1
>
> diff --git
> a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
>
> b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> new file mode 100644
> index 000..86c2104ec8a
> --- /dev/null
> +++
> b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
> @@ -0,0 +1,9 @@
> +-BEGIN OPENSSH PRIVATE KEY-
> +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS
> +1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF
> +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN
> +uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30
> +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E
> +cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw
> +cwECAw==
> +-END OPENSSH PRIVATE KEY-
> diff --git
> a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
>
> b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
> new file mode 100644
> index 000..a358aeb88a7
> --- /dev/null
> +++
> b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
> @@ -0,0 +1 @@
> +ecdsa-sha2-nistp256
>
[OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
Host keys are getting bigger and taking an ever increasing amount of time
to generate. Whilst we do need to test that works, we don't need to test
it in every image. Add a recipe which can be added to images with
pre-generated keys, allowing us to speed up tests on the autobuilder
where it makes sense to.
Signed-off-by: Richard Purdie
---
.../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes
.../openssh/ssh_host_ecdsa_key| 9 +
.../openssh/ssh_host_ecdsa_key.pub| 1 +
.../openssh/ssh_host_ed25519_key | 7
.../openssh/ssh_host_ed25519_key.pub | 1 +
.../openssh/ssh_host_rsa_key | 38 ++
.../openssh/ssh_host_rsa_key.pub | 1 +
.../ssh-pregen-hostkeys_1.0.bb| 19 +
8 files changed, 76 insertions(+)
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub
create mode 100644
meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
diff --git
a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
new file mode 100644
index
..30443c94388530f82308f41517839c8932026eec
GIT binary patch
literal 805
zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9oe=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX
ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs
zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj$8a#0)WGviB+c_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)GfnJlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF
zuVc{w004mi|EcdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP&
jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR&
literal 0
HcmV?d1
diff --git
a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
new file mode 100644
index 000..86c2104ec8a
--- /dev/null
+++
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
@@ -0,0 +1,9 @@
+-BEGIN OPENSSH PRIVATE KEY-
+b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS
+1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF
+rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN
+uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30
+07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E
+cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw
+cwECAw==
+-END OPENSSH PRIVATE KEY-
diff --git
a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
new file mode 100644
index 000..a358aeb88a7
--- /dev/null
+++
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256
E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA3007BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2Ec=
root@qemupregen
diff --git
a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
new file mode 100644
index 000..00ed9adae2f
--- /dev/null
+++
b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-BEGIN OPENSSH PRIVATE KEY-
+b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABMwtzc2gtZW
+QyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbwAAAJChFtV0oRbV
+dAtzc2gtZWQyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbw
+AAAEA8UiUsygsTbP0HkDi5leXpQaVXihDyCHeitkBCItJGhcdIVMBsnc5N3WvUTwbkmV4K
+awkSlAeZ1Ma0xxirBZtvDXJvb3RAcWVtdW1pcHM=
+-END OPENSSH PRIVATE KEY-
diff --git
a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
