[OE-core] [PATCH] openssh: Atomically generate host keys
Burton, Ross
ross.burton at intel.com
Tue May 23 14:37:16 UTC 2017
On 7 May 2017 at 02:33, Joshua Watt <jpewhacker at gmail.com> wrote:
> +if [ ! -f "$NAME" ]; then
> + echo " generating ssh $TYPE key..."
> + ssh-keygen -q -f "${NAME}.tmp" -N '' -t $TYPE
> +
> + # Sync to ensure data is written to temp file before renaming
> + sync
> +
> + # Move (Atomically rename) files
> + # Rename the .pub file first, since the check that triggers a
> + # key generation is based on the private file.
> + mv -f "${NAME}.tmp.pub" "${NAME}.pub"
> + sync
> +
> + mv -f "${NAME}.tmp" "${NAME}"
> + sync
> +fi
>
>
All of these syncs seem quite enthusiastic, are they really needed?
Writing the file to a temporary name and then mving it to the real name
should result in either no file or a complete file in the event of power
loss, surely?
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> index 148e6ad..af56404 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> @@ -1,22 +1,14 @@
> [Unit]
> Description=OpenSSH Key Generation
> RequiresMountsFor=/var /run
> -ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
> -ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
> -ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
> -ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
>
Can you not continue to use ConditionPathExists to only run this unit if it
needs to run? You can prepend the argument with | to make them logical OR
instead of logical AND, if I'm reading this documentation correctly.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170523/4378151a/attachment-0002.html>
More information about the Openembedded-core
mailing list