Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
On Mon, Sep 28, 2020 at 8:39 AM Mark Hatle wrote: > > I'm worried about this from a product security perspective. > > I think this is very valid case for an autobuilder/autotest infrastructure, > however if this ends up in a release product it will lead to huge problems. > > Is there a way we can ensure this can only be used for the > autobuilder/autotest > infrastructure, and never provided by accident in an image. (If a user > decided > they must do something like this, we can't stop them -- but we should allow it > to happene either by accident or make it look like it's good practice.) > its in same class as debug-tweaks in IMAGE_FEATURES, so if we can tie it to debug tweaks we should be offering a good balanced solution. > --Mark > > On 9/23/20 10:05 AM, Richard Purdie wrote: > > Host keys are getting bigger and taking an ever increasing amount of time > > to generate. Whilst we do need to test that works, we don't need to test > > it in every image. Add a recipe which can be added to images with > > pre-generated keys, allowing us to speed up tests on the autobuilder > > where it makes sense to. > > > > Signed-off-by: Richard Purdie > > --- > > .../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes > > .../openssh/ssh_host_ecdsa_key| 9 + > > .../openssh/ssh_host_ecdsa_key.pub| 1 + > > .../openssh/ssh_host_ed25519_key | 7 > > .../openssh/ssh_host_ed25519_key.pub | 1 + > > .../openssh/ssh_host_rsa_key | 38 ++ > > .../openssh/ssh_host_rsa_key.pub | 1 + > > .../ssh-pregen-hostkeys_1.0.bb| 19 + > > 8 files changed, 76 insertions(+) > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub > > create mode 100644 > > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb > > > > diff --git > > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > > > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > > new file mode 100644 > > index > > ..30443c94388530f82308f41517839c8932026eec > > GIT binary patch > > literal 805 > > zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9o > z#>e=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX > > ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs > > zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj > zr|?tGWY(1vcP3@X_D<(~^_D`?%NDne77p}AN|!y909XYC`_sATu*WrQf(gmixEp2- > > z>$8a#0)WG > zP#Ae@xR_Z!^$9gP{n3QwBhy^nPrHKA9b%3xtLoGy16TJlVr!|nt%cHREwUHDBZ)#& > > zIuv0};sB&0b(1XUZ=R#^gKw)AJ->viB+c > z@@ZGZ%D<}4p}ve0)Xwh;edfrl=)p~)sWosd`Y;+BqJ~l)2TH)09_+3 > > zZ4`?ekchIl_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg > zbV^FhSAdt5 > z)g%(nv9r;~j;->7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)Gfn > zS-L{YkFoPvZ(fHzZ3tgU=!A>JlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF > > zuVc{w004mi|Ec > zN-Z{|f9K{)ifw^eNk}eKbdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP& > > jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR& > > > > literal 0 > > HcmV?d1 > > > > diff --git > > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > > > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > > new file mode 100644 > > index 000..86c2104ec8a > > --- /dev/null > > +++ > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > > @@ -0,0 +1,9 @@ > > +-BEGIN OPENSSH PRIVATE KEY- > > +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS > > +1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF > > +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN > > +uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30 > > +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E > > +cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw > > +cwECAw== > > +-END OPENSSH PRIVATE KEY- > > diff --git > >
Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
Em seg., 28 de set. de 2020 às 12:39, Mark Hatle escreveu: > > I'm worried about this from a product security perspective. > > I think this is very valid case for an autobuilder/autotest infrastructure, > however if this ends up in a release product it will lead to huge problems. > > Is there a way we can ensure this can only be used for the > autobuilder/autotest > infrastructure, and never provided by accident in an image. (If a user > decided > they must do something like this, we can't stop them -- but we should allow it > to happene either by accident or make it look like it's good practice.) Maybe a YP_AB_SPECIFIC variable variable which if not set a python function could skip the recipe? -- Otavio Salvador O.S. Systems http://www.ossystems.com.brhttp://code.ossystems.com.br Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142859): https://lists.openembedded.org/g/openembedded-core/message/142859 Mute This Topic: https://lists.openembedded.org/mt/77036961/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
I'm worried about this from a product security perspective. I think this is very valid case for an autobuilder/autotest infrastructure, however if this ends up in a release product it will lead to huge problems. Is there a way we can ensure this can only be used for the autobuilder/autotest infrastructure, and never provided by accident in an image. (If a user decided they must do something like this, we can't stop them -- but we should allow it to happene either by accident or make it look like it's good practice.) --Mark On 9/23/20 10:05 AM, Richard Purdie wrote: > Host keys are getting bigger and taking an ever increasing amount of time > to generate. Whilst we do need to test that works, we don't need to test > it in every image. Add a recipe which can be added to images with > pre-generated keys, allowing us to speed up tests on the autobuilder > where it makes sense to. > > Signed-off-by: Richard Purdie > --- > .../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes > .../openssh/ssh_host_ecdsa_key| 9 + > .../openssh/ssh_host_ecdsa_key.pub| 1 + > .../openssh/ssh_host_ed25519_key | 7 > .../openssh/ssh_host_ed25519_key.pub | 1 + > .../openssh/ssh_host_rsa_key | 38 ++ > .../openssh/ssh_host_rsa_key.pub | 1 + > .../ssh-pregen-hostkeys_1.0.bb| 19 + > 8 files changed, 76 insertions(+) > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub > create mode 100644 > meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb > > diff --git > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key > new file mode 100644 > index > ..30443c94388530f82308f41517839c8932026eec > GIT binary patch > literal 805 > zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9o z#>e=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX > ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs > zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj zr|?tGWY(1vcP3@X_D<(~^_D`?%NDne77p}AN|!y909XYC`_sATu*WrQf(gmixEp2- > z>$8a#0)WG zP#Ae@xR_Z!^$9gP{n3QwBhy^nPrHKA9b%3xtLoGy16TJlVr!|nt%cHREwUHDBZ)#& > zIuv0};sB&0b(1XUZ=R#^gKw)AJ->viB+c z@@ZGZ%D<}4p}ve0)Xwh;edfrl=)p~)sWosd`Y;+BqJ~l)2TH)09_+3 > zZ4`?ekchIl_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg zbV^FhSAdt5 z)g%(nv9r;~j;->7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)Gfn zS-L{YkFoPvZ(fHzZ3tgU=!A>JlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF > zuVc{w004mi|Ec zN-Z{|f9K{)ifw^eNk}eKbdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP& > jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR& > > literal 0 > HcmV?d1 > > diff --git > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > new file mode 100644 > index 000..86c2104ec8a > --- /dev/null > +++ > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key > @@ -0,0 +1,9 @@ > +-BEGIN OPENSSH PRIVATE KEY- > +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS > +1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF > +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN > +uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30 > +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E > +cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw > +cwECAw== > +-END OPENSSH PRIVATE KEY- > diff --git > a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub > > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub > new file mode 100644 > index 000..a358aeb88a7 > --- /dev/null > +++ > b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub > @@ -0,0 +1 @@ > +ecdsa-sha2-nistp256 >
[OE-core] [PATCH 2/2] ssh-regen-hostkeys: Add a recipe with pregenerated ssh host keys
Host keys are getting bigger and taking an ever increasing amount of time to generate. Whilst we do need to test that works, we don't need to test it in every image. Add a recipe which can be added to images with pre-generated keys, allowing us to speed up tests on the autobuilder where it makes sense to. Signed-off-by: Richard Purdie --- .../ssh-pregen-hostkeys/dropbear_rsa_host_key | Bin 0 -> 805 bytes .../openssh/ssh_host_ecdsa_key| 9 + .../openssh/ssh_host_ecdsa_key.pub| 1 + .../openssh/ssh_host_ed25519_key | 7 .../openssh/ssh_host_ed25519_key.pub | 1 + .../openssh/ssh_host_rsa_key | 38 ++ .../openssh/ssh_host_rsa_key.pub | 1 + .../ssh-pregen-hostkeys_1.0.bb| 19 + 8 files changed, 76 insertions(+) create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub create mode 100644 meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key new file mode 100644 index ..30443c94388530f82308f41517839c8932026eec GIT binary patch literal 805 zcmV+=1KRum000Mbb7(Dcb724g00RL40RR920RW_9oe=VPY-g{TMU)xikgot*E3d4mq}vnGGMFK&?`3lQuzp%?!~`G;T{U;4Y_oX ztW&5pYa=!AY~l?MU+0l28E$@8(~zi5Bd|IC1+@_wEtWbRYFyfC@g&!whp05e8cXIs zAO2$|o3V1#D_vFi`9{vpf^~zgpZ#hwyW(^VKuj$8a#0)WGviB+c_qjZCYr4Lp0K;iIPX5{`t64nTmV(|FuFJ$BAyJg?pxXg7$f}g_o>)88b=v%Es_PL7V(*H}r1F5#*9l3)GfnJlT_mL2YLkdI4|&9vMig5l?U-%Rc`5EN%eoyF zuVc{w004mi|EcdX6Z%1|5s(MS`eaRn9_0H4of0ISncPXCoP& jnu6P-g&8cZCSpI?z=;2?Sr97OqIjGUAl>AZv%QM*=5vR& literal 0 HcmV?d1 diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key new file mode 100644 index 000..86c2104ec8a --- /dev/null +++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key @@ -0,0 +1,9 @@ +-BEGIN OPENSSH PRIVATE KEY- +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABaBNlY2RzYS +1zaGEyLW5pc3RwMjU2CG5pc3RwMjU2QQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF +rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHqAoE27MKBN +uzE2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA30 +07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E +cgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sNcm9vdEBxZW11bWlw +cwECAw== +-END OPENSSH PRIVATE KEY- diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub new file mode 100644 index 000..a358aeb88a7 --- /dev/null +++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBElHqJnGv81OpA3007BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2Ec= root@qemupregen diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key new file mode 100644 index 000..00ed9adae2f --- /dev/null +++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-BEGIN OPENSSH PRIVATE KEY- +b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABMwtzc2gtZW +QyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbwAAAJChFtV0oRbV +dAtzc2gtZWQyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbw +AAAEA8UiUsygsTbP0HkDi5leXpQaVXihDyCHeitkBCItJGhcdIVMBsnc5N3WvUTwbkmV4K +awkSlAeZ1Ma0xxirBZtvDXJvb3RAcWVtdW1pcHM= +-END OPENSSH PRIVATE KEY- diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub