[OE-core] [PATCH] openssh: Atomically generate host keys

Joshua Watt jpewhacker at gmail.com
Tue Jun 20 14:07:21 UTC 2017 

On Tue, 2017-06-20 at 10:52 +0200, Ulrich Ölmann wrote:
> On Tue, May 23, 2017 at 03:37:16PM +0100, Burton, Ross wrote:
> > On 7 May 2017 at 02:33, Joshua Watt <jpewhacker at gmail.com> wrote:
> > > diff --git a/meta/recipes-
> > > connectivity/openssh/openssh/sshdgenkeys.service
> > > b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > > index 148e6ad..af56404 100644
> > > --- a/meta/recipes-
> > > connectivity/openssh/openssh/sshdgenkeys.service
> > > +++ b/meta/recipes-
> > > connectivity/openssh/openssh/sshdgenkeys.service
> > > @@ -1,22 +1,14 @@
> > >  [Unit]
> > >  Description=OpenSSH Key Generation
> > >  RequiresMountsFor=/var /run
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
> > > -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
> > > -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
> > > 
> > 
> > Can you not continue to use ConditionPathExists to only run this
> > unit if it
> > needs to run?  You can prepend the argument with | to make them
> > logical OR
> > instead of logical AND, if I'm reading this documentation
> > correctly.
> 
> Am I right that if we have a read-write mounted root-FS with already
> existing
> keys in /etc/ssh the service unit will nevertheless be started on
> _every_ boot
> now as the files which are checked for existance in /var/run/ssh are
> missing?

Yes. The service is actually run when the first ssh connection is made
(not at boot time), but it will do so on the first connection every
boot cycle. I don't know a way to do a complex conditional in systemd,
so this does the superset and makes sshd-check-key figure out if the
key actually needs generating or not. Perhaps there is a better way to
do this with the systemd conditional syntax that I am not aware of?
Ideally, the conditional checks in the systemd unit would be able to
use the SYSCONFDIR from /etc/default/ssh, but I'm not sure if that is
possible.

> 
> Best regards
> Ulrich
> -- 
> Pengutronix
> e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.d
> e/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-
> 0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-
> 5555 |

More information about the Openembedded-core mailing list