[OE-core] [PATCH v7] openssh: Atomically generate host keys
Joshua Watt
jpewhacker at gmail.com
Mon Jun 12 12:25:00 UTC 2017
On Tue, 2017-06-06 at 22:30 -0500, Joshua Watt wrote:
> On Wed, May 31, 2017 at 10:05 PM, Joshua Watt <jpewhacker at gmail.com>
> wrote:
> > Generating the host keys atomically prevents power interruptions
> > during
> > the first boot from leaving the key files incomplete, which often
> > prevents users from being able to ssh into the device.
> >
> > Signed-off-by: Joshua Watt <JPEWhacker at gmail.com>
> > ---
> > meta/recipes-connectivity/openssh/openssh/init | 22 ++++----
> > ------
> > .../openssh/openssh/sshd-check-key | 35
> > ++++++++++++++++++++++
> > .../openssh/openssh/sshdgenkeys.service | 25 ++++++++
> > --------
> > meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 8 +++++
> > 4 files changed, 61 insertions(+), 29 deletions(-)
> > create mode 100644 meta/recipes-connectivity/openssh/openssh/sshd-
> > check-key
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/init
> > b/meta/recipes-connectivity/openssh/openssh/init
> > index 1f63725..e02c479 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/init
> > +++ b/meta/recipes-connectivity/openssh/openssh/init
> > @@ -45,23 +45,11 @@ check_config() {
> > }
> >
> > check_keys() {
> > - # create keys if necessary
> > - if [ ! -f $HOST_KEY_RSA ]; then
> > - echo " generating ssh RSA key..."
> > - ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
> > - fi
> > - if [ ! -f $HOST_KEY_ECDSA ]; then
> > - echo " generating ssh ECDSA key..."
> > - ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
> > - fi
> > - if [ ! -f $HOST_KEY_DSA ]; then
> > - echo " generating ssh DSA key..."
> > - ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
> > - fi
> > - if [ ! -f $HOST_KEY_ED25519 ]; then
> > - echo " generating ssh ED25519 key..."
> > - ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
> > - fi
> > + @LIBEXECDIR@/sshd-check-key $HOST_KEY_RSA rsa
> > + @LIBEXECDIR@/sshd-check-key $HOST_KEY_ECDSA ecdsa
> > + @LIBEXECDIR@/sshd-check-key $HOST_KEY_DSA dsa
> > + @LIBEXECDIR@/sshd-check-key $HOST_KEY_ED25519 ed25519
> > + @BASE_BINDIR@/sync
> > }
> >
> > export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd-check-
> > key b/meta/recipes-connectivity/openssh/openssh/sshd-check-key
> > new file mode 100644
> > index 0000000..3afdb8b
> > --- /dev/null
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd-check-key
> > @@ -0,0 +1,35 @@
> > +#! /bin/sh
> > +NAME="$1"
> > +TYPE="$2"
> > +
> > +if [ -z "$NAME" ] || [ -z "$TYPE" ]; then
> > + echo "Usage: $0 NAME TYPE"
> > + exit 1
> > +fi
> > +
> > +
> > +if [ ! -f "$NAME" ]; then
> > + DIR="$(dirname "$NAME")"
> > +
> > + echo " generating ssh $TYPE key..."
> > + ssh-keygen -q -f "${NAME}.tmp" -N '' -t $TYPE
> > +
> > + # Move (Atomically rename) files
> > + mv -f "${NAME}.tmp.pub" "${NAME}.pub"
> > +
> > + # This sync does double duty: Ensuring that the data in the
> > temporary
> > + # private key file is on disk before the rename, and ensuring
> > that the
> > + # public key rename is completed before the private key
> > rename, since we
> > + # switch on the existence of the private key to trigger key
> > generation.
> > + # This does mean it is possible for the public key to exist,
> > but be garbage
> > + # but this is OK because in that case the private key won't
> > exist and the
> > + # keys will be regenerated.
> > + #
> > + # In the event that sync understands arguments that limit what
> > it tries to
> > + # fsync(), we provided them. If it does not, it will simply
> > call sync()
> > + # which is just as well
> > + sync "${NAME}.pub" "$DIR" "${NAME}.tmp"
> > +
> > + mv "${NAME}.tmp" "$NAME"
> > +fi
> > +
> > diff --git a/meta/recipes-
> > connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-
> > connectivity/openssh/openssh/sshdgenkeys.service
> > index 148e6ad..23fd351 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > @@ -1,22 +1,23 @@
> > [Unit]
> > Description=OpenSSH Key Generation
> > RequiresMountsFor=/var /run
> > -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
> > -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
> > -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
> > -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
> > -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
> > -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
> > -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
> > -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
> > +ConditionPathExists=|!/var/run/ssh/ssh_host_rsa_key
> > +ConditionPathExists=|!/var/run/ssh/ssh_host_dsa_key
> > +ConditionPathExists=|!/var/run/ssh/ssh_host_ecdsa_key
> > +ConditionPathExists=|!/var/run/ssh/ssh_host_ed25519_key
> > +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> > +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
> > +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
> > +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
> >
> > [Service]
> > Environment="SYSCONFDIR=/etc/ssh"
> > EnvironmentFile=-/etc/default/ssh
> > ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
> > -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key
> > -N '' -t rsa
> > -ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key
> > -N '' -t dsa
> > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
> > -ExecStart=@BINDIR@/ssh-keygen -q -f
> > ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
> > +ExecStart=@LIBEXECDIR@/sshd-check-key
> > ${SYSCONFDIR}/ssh_host_rsa_key rsa
> > +ExecStart=@LIBEXECDIR@/sshd-check-key
> > ${SYSCONFDIR}/ssh_host_dsa_key dsa
> > +ExecStart=@LIBEXECDIR@/sshd-check-key
> > ${SYSCONFDIR}/ssh_host_ecdsa_key ecdsa
> > +ExecStart=@LIBEXECDIR@/sshd-check-key
> > ${SYSCONFDIR}/ssh_host_ed25519_key ed25519
> > +ExecStart=@BASE_BINDIR@/sync
> > Type=oneshot
> > RemainAfterExit=yes
> > diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > index 5b96745..ec4b55f 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > @@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/Ope
> > nSSH/portable/openssh-${PV}.tar
> > file://openssh-7.1p1-conditional-compile-des-in-
> > cipher.patch \
> > file://openssh-7.1p1-conditional-compile-des-in-
> > pkcs11.patch \
> > file://fix-potential-signed-overflow-in-pointer-
> > arithmatic.patch \
> > + file://sshd-check-key \
> > "
> >
> > PAM_SRC_URI = "file://sshd"
> > @@ -124,7 +125,14 @@ do_install_append () {
> > sed -i -e 's, at BASE_BINDIR@,${base_bindir},g' \
> > -e 's, at SBINDIR@,${sbindir},g' \
> > -e 's, at BINDIR@,${bindir},g' \
> > + -e 's, at LIBEXECDIR@,${libexecdir}/${BPN},g' \
> > ${D}${systemd_unitdir}/system/sshd.socket
> > ${D}${systemd_unitdir}/system/*.service
> > +
> > + sed -i -e 's, at LIBEXECDIR@,${libexecdir}/${BPN},g' \
> > + -e 's, at BASE_BINDIR@,${base_bindir},g' \
> > + ${D}${sysconfdir}/init.d/sshd
> > +
> > + install -D -m 0755 ${WORKDIR}/sshd-check-key
> > ${D}${libexecdir}/${BPN}
> > }
> >
> > do_install_ptest () {
> > --
> > 2.9.4
> >
>
> Ping?
More information about the Openembedded-core
mailing list